Pierre BourdonMar 18, 2023

CVE-2023-21036 / acropalypse is absolutely bonkers.

Apparently for 5+ years the cropping / editing tools for screenshots on Google Pixel phones was only overwriting the start of the screenshot PNG file, but not truncating.

All screenshots shared for the past 5+ years might have data recoverable from them. Demo available at https://acropalypse.app/

Google still hasn't communicated anything on this.

(h/t ItsSimonTime on Musk's site)

acropalypse screenshot recovery utility

Show threadPierre Bourdon

I tried it on a screenshot from just a week ago. This is absolutely scary.

First image is the screenshot I saved after cropping. Second is what the demo app managed to recover.

Mar 18, 2023 at 10:21amWeb
Show threadPierre BourdonMar 18, 2023
Another one showing how a smaller crop can end up revealing even more of the original screenshot image.
Show threadPierre BourdonMar 18, 2023
PoC author @retr0id published his writeup about how the bug was found, I strongly encourage you to give it a read and a follow: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
Exploiting aCropalypse: Recovering Truncated PNGs | Blog

Show threadprincess pancake Mar 18, 2023
@delroth You would assume it would be common sense not to do this
Show threadprincess pancake Mar 18, 2023
@delroth But somehow Google went below all of my expectations in this
Show threadLisPiMar 18, 2023
@natty @delroth Yeah, what even is the benefit of doing this? You waste more storage. The user wanted to crop things for a reason.
Show threadFelixMar 19, 2023
@lispi314 @natty @delroth have a look at the article, it wasn't intentional, it was caused by bad design of an underlying library
Show threadLisPiMar 19, 2023
@jamalix @natty @delroth Yeah, I noticed in another thread (https://mastodon.top/@lispi314/110045458847288051) but never did update this one.
LisPi (@[email protected])

@[email protected] Oh wow, that's even worse than what I thought it was. How did anyone ever think that was a good idea?

Mastodon.top
Show threadCauseOfBSODMar 19, 2023

@natty @delroth hey the chromebook secure boot implementation delegates checking rootfs to the booted kernel

and then they forgot to check rootfs with rma shim kernels (some google-signed ones have been leaked) and just blindly execute code from them (the exploit is called sh1mmer if you were wondering, and is mainly useful for unenrolling managed chromebooks)

so i wouldn't have particularly high expectations

Show threadchrismckeeMar 18, 2023
@delroth doesn't seem to work on ones that have been shared online though. I assume because nearly every site / app will re-encode as jpeg to save space
Show threadchrismckeeMar 18, 2023
@delroth struggled to find one in my vastly (Jesus I need to clean that folder) overfilled screenshot folder. It's just saved the dead space
Show threadPierre BourdonMar 18, 2023

@chrismckee depends on the app, and the size of the file for some apps. Definitely wouldn't make that bet if I had cropped e.g. credit card info or sensitive personal info.

Especially since PNGs don't usually have EXIF-style metadata so it's more common for apps to leave them alone.

Show threadAlan EvansMar 19, 2023
@delroth sarcasm? This looks like nothing. I also get nothing when i try it.