This article is more than 1 year old
Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered
aCropalypse Now, starring any 2018-or-later device
Updated If you've owned a Google Pixel smartphone since the 3 series came out in 2018, bad news: any screenshot that you've cropped or redacted on your Pixel can be potentially restored without much fuss.
Reverse engineers Simon Aarons and David Buchanan, who found the bug and produced a proof-of-concept recovery tool, respectively, dubbed it aCropalypse, and noted "this bug is a bad one" for folks concerned about their privacy.
The flaw lies in how Google's image-editing app Markup, available for the Pixel line, truncates PNG files after they are edited – namely, it doesn't, Buchanan detailed in a write-up over the weekend.
Essentially, if you use the app to crop out sensitive stuff from a screenshot, Google's code doesn't properly shrink the actual file, leaving the cropped-out portion lurking at the end of the data string, which can be potentially reconstructed. Even though you can't see the cropped out area in an image viewer, the data is still there in the file and can be possibly recovered.
That means if someone gets hold of your cropped image, they can try to recover the seemingly missing part. If the image was redacted by scribbling over certain areas, those areas may be visible in the restored picture. This is not great for privacy.
Google has patched aCropalypse, which Buchanan said will be tracked as CVE-2023-21036, in its March Pixel security updates. That's all well and good going forward – now you can crop, redact, and share without fear your future images can be recovered – but there's no unsharing screenshots that are vulnerable to the exploit that you've already passed around, uploaded to Discord, etc.
Buchanan said Google hasn't issued a security advisory about the bug yet. We've asked the ad giant how it plans to handle notifying affected Pixel owners that they may have sensitive data floating around online, and we didn't hear back by press time.
T is for truncate, and it is not implied (in Android 10+)
Buchanan's write-up goes into considerable detail as to how he found what he believes to be the root cause of aCropalypse: a silent change from Android 9 to Android 10 in which the OS-provided Java function parseMode()
now requires the argument "wt" when an app wishes to overwrite and truncate a file to a shorter length, not just "w".
In the past, "w" would truncate a file anyway; from Android 10, the function needs an explicit "wt". Google's Markup was still using "w" when it should have used "wt", so the truncation never happened on Android 10+, leaving previous image data at the end of the PNG file.
According to Aarons, "when you crop and save a screenshot, [Markup] overwrites the image with the new version, but leaves the rest of the original file in its place" because Markup isn't telling Android to truncate the file when writing changes to it.
(Technically speaking, parseMode()
just converts a string describing the kind of access an app wants, eg "wt", into a bitmask to use with open()
. parseMode()
doesn't perform the actual file access, it helps the app prepare for it.)
- Signal goes Gaussian to take privacy to the next level: All your faces don't belong to us
- LowKey cool: This web app will tweak your photos to flummox facial-recognition systems, apparently
- Extreme photo-bombing: Bad ImageMagick bug puts countless websites at risk of hijacking
- eBay eBabe enigma explained: Microsoft bug blamed after topless model slings e-souk's emails at stunned Brits
"The end result is that the image file is opened without the [truncate] flag, so that when the cropped image is written, the original image is not truncated," Buchanan said. "If the new image file is smaller, the end of the original is left behind."
The bits of the file that were supposed to be truncated were found to be recoverable as images after doing some reverse-engineering of the zlib compression library's methodology, which Buchahan says he was able to do "after a few hours of fiddling around." The end result is a proof of concept that anyone with an affected Pixel device can try out for themselves.
While you're at it, be sure to install the latest round of Android security updates, Pixel device or not.
What to make of it? If you have an affected Pixel device, and you've cropped or redacted screenshots and shared them, whoever has them can potentially recover that data. Once you've installed the update, future screenshots should be OK. ®
Updated to add on March 21
David Buchanan of aCropalypse fame now says Windows 11's Snipping Tool and Windows 10's Snip & Sketch cropping utilities also leak image data more or less the same way Google's aCropalypse bug works. If you take a screenshot, save it to disk, then crop it on Windows using those Microsoft tools, and then save over the original file, that file still contains the cropped-out portion, which can be recovered. The image data isn't truncated.
We'll let you know if Microsoft has anything to say about it.