EletiofeBug in Google Markup, Windows Photo-Cropping Tools Exposes Removed...

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data


- Advertisment -

At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. Though now fixed, the vulnerability is significant because Pixel users have for years been making, and in many cases presumably sharing, cropped images that may still contain the private or sensitive data the user was attempting to eliminate. But it gets worse.

The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were stunned to discover this week that a very similar version of the vulnerability is also present in other photo-cropping utilities from a totally separate yet equally ubiquitous codebase: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in cases where a user takes a screenshot, saves it, crops the screenshot, and then saves the file again. Photos cropped with Markup, meanwhile, retained too much data even when the user applied the crop before first saving the photo. 

Microsoft told WIRED on Wednesday that it is “aware of these reports” and that it is “investigating,” adding, “we will take action as needed.”

“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”

Now that the vulnerabilities are out in the open, researchers have started uncovering old discussions on programming forums where developers noticed the odd behavior of the cropping tools. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.

“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.

Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. In short, there is a population of photos out there that contain more information than they should—specifically, information that someone intentionally tried to remove.

Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.

“As part of their existing compression process, apps and websites that recompress images, like Twitter, Instagram, or Facebook, delete extra data automatically from images uploaded. Images posted to sites like these are not at risk,” Google spokesperson Ed Fernandez says in a statement.

The researchers point out, though, that this is not true of all platforms, including Discord.

As a Discord user, Buchanan say he kept seeing people posting cropped screenshots, and it was really hard to not say anything before the vulnerability was publicly disclosed.

Steven Murdoch, a professor of security engineering at University College London, notes that in 2004 he discovered a vulnerability in which an older version of an image was stored in the thumbnail data for the image even after it had been altered.  

“This isn’t the first time I’ve seen this sort of vulnerability,” Murdoch says. “And I think the reason is because when software is written, it’s tested to make sure that the thing you expect is there. You save an image, you can open the image, and then you’re done. What is not checked is whether there is accidentally extra data stored.”

The thumbnail vulnerability Murdoch found in 2004 was conceptually similar to aCropalypse from a data privacy standpoint but had very different technical underpinnings because of issues in application programming interface design. And Murdoch emphasizes that while he sees aCropalypse as a problem for users whose affected photos are already out in the world, its biggest impact may come from the discussions it has raised about how to promote better security practices in API development and implementation.

“This has triggered some interesting conversations about API design and what do you do to teach people to avoid this sort of vulnerability in the future? This is not something that we train people to deal with,” Murdoch says. “It’s not one of these ‘sky is falling’ vulnerabilities, but it’s not good.”

Latest news

Coinbase and Binance Lawsuits Put Crypto on Ice

For the second time in 24 hours, the US Securities and Exchange Commission has sued a major cryptocurrency exchange. Yesterday,...

The 15 Best Movies on Hulu This Week

In 2017, Hulu made television history by becoming the first streaming network to win the Outstanding Drama Series Emmy, thanks...

13 Best PC Games You Can Play Forever (2023)

Skip to main contentThere's always something new to play, but these are our favorites when you're seeking something tried...

Former Ekiti Speaker, One Other Remanded Over Fraud, Attempted Murder

A former Speaker of Ekiti House of Assembly, Dele Olugbemi, and one Tajero Adebayo have been remanded in...
- Advertisement -

Former Minister Of Women Affairs, Pauline Tallen, Denies Involvement In N2bn Fraud

A former Minister of Women Affairs and Social Development, Pauline Tallen, has dismissed reports of an alleged N2 billion...

Reps Summon Emiefele, Others Over Unrecorded Payment Of N32.5 Billion

The House of Representatives has summoned the Central Bank Governor, Godwin Emiefele, over an unrecorded payment of about...

Must read

Coinbase and Binance Lawsuits Put Crypto on Ice

For the second time in 24 hours, the US...

The 15 Best Movies on Hulu This Week

In 2017, Hulu made television history by becoming the first...
- Advertisement -

You might also likeRELATED
Recommended to you