Mick T.Mar 19, 2023
Pierre Bourdon

CVE-2023-21036 / acropalypse is absolutely bonkers.

Apparently for 5+ years the cropping / editing tools for screenshots on Google Pixel phones was only overwriting the start of the screenshot PNG file, but not truncating.

All screenshots shared for the past 5+ years might have data recoverable from them. Demo available at https://acropalypse.app/

Google still hasn't communicated anything on this.

(h/t ItsSimonTime on Musk's site)

acropalypse screenshot recovery utility

Mar 18, 2023 at 10:19amWeb
Show threadPierre BourdonMar 18, 2023

I tried it on a screenshot from just a week ago. This is absolutely scary.

First image is the screenshot I saved after cropping. Second is what the demo app managed to recover.

Show threadPierre BourdonMar 18, 2023
Another one showing how a smaller crop can end up revealing even more of the original screenshot image.
Show threadPierre BourdonMar 18, 2023
PoC author @retr0id published his writeup about how the bug was found, I strongly encourage you to give it a read and a follow: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
Exploiting aCropalypse: Recovering Truncated PNGs | Blog

Show threadprincess pancake Mar 18, 2023
@delroth You would assume it would be common sense not to do this
Show threadprincess pancake Mar 18, 2023
@delroth But somehow Google went below all of my expectations in this
Show threadLisPiMar 18, 2023
@natty @delroth Yeah, what even is the benefit of doing this? You waste more storage. The user wanted to crop things for a reason.
Show threadFelixMar 19, 2023
@lispi314 @natty @delroth have a look at the article, it wasn't intentional, it was caused by bad design of an underlying library
Show threadLisPiMar 19, 2023
@jamalix @natty @delroth Yeah, I noticed in another thread (https://mastodon.top/@lispi314/110045458847288051) but never did update this one.
LisPi (@[email protected])

@[email protected] Oh wow, that's even worse than what I thought it was. How did anyone ever think that was a good idea?

Mastodon.top
Show threadCauseOfBSODMar 19, 2023

@natty @delroth hey the chromebook secure boot implementation delegates checking rootfs to the booted kernel

and then they forgot to check rootfs with rma shim kernels (some google-signed ones have been leaked) and just blindly execute code from them (the exploit is called sh1mmer if you were wondering, and is mainly useful for unenrolling managed chromebooks)

so i wouldn't have particularly high expectations

Show threadchrismckeeMar 18, 2023
@delroth doesn't seem to work on ones that have been shared online though. I assume because nearly every site / app will re-encode as jpeg to save space
Show threadchrismckeeMar 18, 2023
@delroth struggled to find one in my vastly (Jesus I need to clean that folder) overfilled screenshot folder. It's just saved the dead space
Show threadPierre BourdonMar 18, 2023

@chrismckee depends on the app, and the size of the file for some apps. Definitely wouldn't make that bet if I had cropped e.g. credit card info or sensitive personal info.

Especially since PNGs don't usually have EXIF-style metadata so it's more common for apps to leave them alone.

Show threadAlan EvansMar 19, 2023
@delroth sarcasm? This looks like nothing. I also get nothing when i try it.
Show threadS NielsenMar 18, 2023

@delroth Wow... that's incredible level of bad.

I'm now sitting here wondering if it's really Pixel specific or not... and if other screenshot solutions suffer from a similar problem, or Google did something very silly...

At least it seems like it has been fixed in the 2023 March update.... for future screenshots (presumably)...

Show threadPierre BourdonMar 18, 2023

@simonlbn "future" indeed, since the 2023 March update isn't available publicly for Pixel 6 / 6 Pro at this point.

Yes, despite the fact that Project Zero dropped 5 remotely exploitable vulns for those devices yesterday.

Show threadDiego Elio PettenòMar 18, 2023
@delroth @simonlbn you know things are bad when I trust my Huawei better than Google's flagship phones.
Show threadPierre BourdonMar 18, 2023

@flameeyes @simonlbn at least your data mostly gets leaked to various companies and gov orgs in China, not your stalkers and random people online :-)

(But really, having worked on projects close to Android security in the past - Huawei devices have had some absolutely bonkers backdoors.)

Show threadDiego Elio PettenòMar 18, 2023
@delroth @simonlbn oh I can believe that, but it's a matter of threat model, as you just noted 😉
Show threadS NielsenMar 18, 2023

@delroth Ah, I hadn't even considered that might be the case :-(.

The only Android phone I use regularly is my corp phone so I have no idea about the normal release schedules are.

Show thread⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Mar 18, 2023
@delroth @simonlbn pixel 4a got the update earlier this week
Show threadThe Skeptic's Book of ListsMar 18, 2023
@delroth So if I crop "thesebooksImselling.png" because I want to get rid of my nasty bare feet in the photo I put on ebay, the cropped version just gets written to the top of the PNG file and but the original data is still present but not normally readable. Interesting!
Show threadKarlMar 18, 2023
@delroth It seems to not work on my pixel 4a. The power of the 3.5mm jack, baby!
Show threadNeko MayMar 18, 2023
@delroth Is this specifically Pixel devices only? Or are other devices possibly affected?
Show threadPierre BourdonMar 18, 2023

@NekoEd no idea -- another reason why it would be great if Google actually released information...

I've only seen confirmation for Pixel screenshots. However the root cause of the vulnerability is a behavior change in AOSP which could potentially have similar effects for other apps (https://issuetracker.google.com/issues/180526528).

Google Issue Tracker

Show threadPatrickMar 19, 2023
@delroth @NekoEd OxygenOS 13's Photos app (OnePlus) does not seem to be vulnerable (even if it was, screenshots on Oxygen are jpg).
Show threadanoraxMar 18, 2023
@delroth
I'm not sure to understand. This happens when native Pixel image app is used for cropping/editing?
Show threadaugmented jungleMar 18, 2023
@delroth
Does this also apply for custom ROMs with a similar feature (the screenshot pops up with a crop button next to it)
Show threadPierre BourdonMar 18, 2023
@instereo256 no clue, sorry -- I would ask the security contacts for your distro.
Show threadaugmented jungleMar 18, 2023

@delroth I tried uploading some crops to the site and it didn't return anything, on PC it says the file is not a PNG. It turns out my crops were saved as a separate JPEG and with a different name (IMG_* instead of Screenshot_*)

I'm using CrDroid, which I just realized is LineageOS based, so that might be it.

Show threadSimon Müller Mar 18, 2023
@instereo256 note this only happens with Google's markup screenshot editor, not what crDroid ships (I am ALSO using crDroid, if that matters)
Show threadNicolás AlvarezMar 18, 2023
@instereo256 @delroth it applies to the Markup app normally only available on Pixel phones, if the custom ROM is sideloading that app then it's vulnerable too
Show threadSimon Müller Mar 18, 2023

@delroth this apparently works even when sideloading their Markup screenshot editor on Non-Pixel devices.

Scary stuff.

Show threadGabbo the wafrn dev guyMar 18, 2023
what the actual fuck
Show threadBarney LauranceMar 18, 2023

@delroth The most surprising thing to me is that it apparently took 5 years for anyone willing to publish to go looking for these pixels.

Do we know what code module has the bug and whether it could be used anywhere else that isn't a Pixel phone?

Show threadOndřej PokornýMar 18, 2023
@bdsl @delroth The most surprising thing to me is that for 5+ years nobody noticed a cropped Android screenshot takes up exactly the same space as the original.
I guess that's due to the tendency to hide the file system paradigm from users on the two dominant mobile operating systems.
Show threadsporksmith  Mar 18, 2023
@delroth
Woah. Original and recovered from a screenshot I took yesterday on my pixel 6a and cropped in the screenshot tool.
Show threadsporksmith  Mar 18, 2023
@delroth
I had sent it to a friend over Google Chat. Nothing recovered from that copy - looks like Chat reencodes.
Show threadpeter honeymanMar 18, 2023
@sporksmith whoa
Show threadMylanMar 18, 2023
@delroth I wonder if Google patched this for the Pixel 7 since I can't get it to work. Weird stuff.
Show threadPierre BourdonMar 18, 2023
@mylan it should be part of the March security update which got rolled out to Pixel 7 earlier this week. Still no update for Pixel 6 though...
Show threadMylanMar 18, 2023
@delroth ah that explains it. Sorry if this was explained earlier I tried to read it all. Definitely don't mean to downplay the severity of it, this is kinda wild. I've certainly cropped screenshots because of sensitive info and nowhere we are. Hopefully those screenshots aren't floating around somewhere anymore 🙄
Show threadNicolás AlvarezMar 18, 2023
@mylan @delroth try it on a screenshot you took and cropped before March...
Show threadmsgbiMar 18, 2023
@delroth @charles_ex what pulp fiction @aloa5
Show threadEricLawMar 18, 2023

Fiddler's "Show Image Bloat" extension already flags CVE-2023-21036 / acropalypse untruncated images, as the untruncated bytes at the end are bloat!

https://www.telerik.com/blogs/identifying-image-bloat-part-two

Identifying Image Bloat, Part Two

You can easily extend Telerik Fiddler to analyze images for metadata bloat and display the results directly in the images.

Telerik Blogs
Show threadMoved to @[email protected]Mar 18, 2023
@delroth Just tested - this is working for at least some of my screenshots. Very bad.
Show threadollibabaMar 18, 2023

@delroth That sounds a bit like the challenge from Underhanded C Contest 2008 (http://www.underhanded-c.org/_page_id_17.html):

> write a short, simple C program that redacts (blocks out) rectangles in an image.
> The challenge: write the code so that the redacted data is not really gone.

The Underhanded C Contest » 2008

Show threadPierre BourdonMar 18, 2023
@ollibaba should retroactively give the crown to the Pixel team
Show threadYsegrimMar 18, 2023
@ollibaba @delroth I had to think of that one as well…
Show threadKofi Loves Efia Mar 18, 2023
@delroth well fuck
Show threadCysio Mar 18, 2023
@delroth my phone outsmarted the PoC tool because it takes .jpg screenshots
Show threadEddie Coldrick 💻Mar 18, 2023
@delroth Ah! Disaster. What about editing with the pen tool? I imagine that must overwrite? Just thinking of all the screenshots I have made on my Pixel. And I hope bird site, Mastodon, WhatsApp, etc. don't use the og files, so this can't be done?
Show threadNicolás AlvarezMar 18, 2023
@eddie @delroth you're affected if your edit makes the compressed file size smaller than the original (such as redacting a large rectangle), not only cropping.
Show threadSimon KowalewskiMar 18, 2023
@delroth How can people not notice for 5 years that cropping a tiny bit out of a 1 meg PNG yields a 1 meg PNG? Or is just nobody using Pixel phones?
Show threadAT-AT Assault 🏳️‍⚧️Mar 18, 2023

@deBaer @delroth

Most people aren't checking the file sizes of their phone based files. Especially since that's not data that is presented to you by default. Unlike, say, if I were to open an explorer window in Windows, go to a file, edit it drastically, and instantly see the file size info change in explorer.

Show threadLatte macchiato  Mar 18, 2023
@delroth AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Show threadChristoph Thiede Mar 18, 2023
@delroth Unable to reproduce for screenshots from last year taken on my Pixel 5.
Show threadRainer MüllerMar 18, 2023
@LinqLover @delroth It depends on which tool you used to crop them. As I understand it, only the screenshot editor of the Pixel phones did it wrong. If you used anything else like Google Photos to crop the screenshot, there should be no problem.
Show threadChristoph Thiede Mar 18, 2023
@raimue @delroth No, just swiped from the bottom bar of the screen to the center, pressed screenshot, pen and crop.
Show threadAT-AT Assault 🏳️‍⚧️Mar 18, 2023

@delroth

So not only did Google drop "don't be evil", they went full 180 and said "Yo, let's be evil."

Absolutely no fucking reason to keep the original image after saving over it with a crop/edit.

Show threadMichał "rysiek" Woźniak · 🇺🇦Mar 18, 2023
@delroth /cc #InfoSec ☝️ ☝️ ☝️