CVE-2023-21036 / acropalypse is absolutely bonkers.

Apparently for 5+ years the cropping / editing tools for screenshots on Google Pixel phones was only overwriting the start of the screenshot PNG file, but not truncating.

All screenshots shared for the past 5+ years might have data recoverable from them. Demo available at https://acropalypse.app/

Google still hasn't communicated anything on this.

(h/t ItsSimonTime on Musk's site)

I tried it on a screenshot from just a week ago. This is absolutely scary.

First image is the screenshot I saved after cropping. Second is what the demo app managed to recover.

Another one showing how a smaller crop can end up revealing even more of the original screenshot image.

@delroth this apparently works even when sideloading their Markup screenshot editor on Non-Pixel devices.

Scary stuff.

@delroth
Does this also apply for custom ROMs with a similar feature (the screenshot pops up with a crop button next to it)

@instereo256 no clue, sorry -- I would ask the security contacts for your distro.

@delroth I tried uploading some crops to the site and it didn't return anything, on PC it says the file is not a PNG. It turns out my crops were saved as a separate JPEG and with a different name (IMG_* instead of Screenshot_*)

I'm using CrDroid, which I just realized is LineageOS based, so that might be it.

@instereo256 note this only happens with Google's markup screenshot editor, not what crDroid ships (I am ALSO using crDroid, if that matters)

@delroth This is where I'm lucky I've been using LineageOS without that tool...

Seriously though, WTF. That's completely ridiculous *and* implies not just a security snafu but also violating standard POSIX safe overwrite hygiene (write out a new file and replace).

@delroth doesn't seem to work on ones that have been shared online though. I assume because nearly every site / app will re-encode as jpeg to save space

@chrismckee depends on the app, and the size of the file for some apps. Definitely wouldn't make that bet if I had cropped e.g. credit card info or sensitive personal info.

Especially since PNGs don't usually have EXIF-style metadata so it's more common for apps to leave them alone.

@delroth struggled to find one in my vastly (Jesus I need to clean that folder) overfilled screenshot folder. It's just saved the dead space

@delroth twitter/Mastodon/Flickr re-encode. Facebook's passes through image resizer.
It's pretty shit though; not like cropping images is some new coding problem 😅

@delroth happily Snapseed crops fine. Maybe they should have reused the code 😝

@chrismckee looking at the root cause it's hard to blame the cropping app / code itself, Android just fucked up file truncation with open mode "w". https://issuetracker.google.com/issues/180526528

It's possible (likely?) that when the cropping was written and tested originally it didn't have that vuln at all.

@delroth nice. That's a classic refucktor.
When you casually 'tidy' something up and think it's all good because the tests still pass, but in reality the tests don't cover it properly.
Totally never done that before 😏

@delroth @chrismckee WTAF. And the issue is two years old and not only was it not fixed, nobody considered the security implications of this kind of retroactive behavior change?!

@delroth not impressive that they casually say 'we can't make updates to 10/11.
Shit like that makes the EU regulation over software seem sensible 😐.

PoC author @retr0id published his writeup about how the bug was found, I strongly encourage you to give it a read and a follow: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html

@delroth You would assume it would be common sense not to do this

@delroth But somehow Google went below all of my expectations in this

@crafti @delroth Then again, I think I’d probably fall for the truncation thing as well. But changing the behavior of a file open mode? What the fuck

@delroth the people who run that site are going to be receiving an awful lot of other people's sensitive information

@marnanel it's all client side, nothing gets uploaded. At least in its current version I was using.

@delroth oh thank goodness. Thanks

@delroth