Feedback & Followups
- 🇦🇹 🇧🇪 🇮🇹 🇱🇺 🇳🇱 🇵🇹 Apple expands Emergency SOS via satellite to six more countries — appleinsider.com/… (Austria, Belgium, Italy, Luxembourg, the Netherlands & Portugal)
Deep Dive — Two aCropalypses
TL;DR — the markup tool on Google Pixel phones and the Snip and Sketch App in Windows 10 & Snipping Tool on Windows 11 left data behind after cropping PNGs that may allow the image to be un-cropped later, but the act of uploading to social media sites should inadvertently fix the problem.
Google’s Pixel phones offer a markup feature in their image editing app that’s not part of stock Android. If users used this feature to crop PNG images, they are at risk from a potentially privacy-destroying bug. This crop feature did visually remove the excess pixels, but under the hood, much of the original data was unintentionally preserved. This wasn’t intentional lossless editing or anything like that, this was a bug caused by poor file handling.
The markup tool did not create a new file for the edited version of the image, but simply saved the new data over the old data in the same file. Cropped images have less data than uncropped images, so this meant a chunk of the original data was left unchanged at the end of the file. Because the PNG format uses a special sequence to mark the end of the image data, the leftovers at the end of the file don’t cause any problems displaying the images. But, but that leftover data is still in PNG format, so it can easily be re-constructed and added back into the image, un-cropping it, and revealing whatever it is the user was trying to remove. PNG is a graphics format, so the camera won’t use it to save photos, but it is the preferred format for screenshots, so that’s where the biggest risk is. A very common reason to crop a screenshot is to remove information you don’t want to share, hence the potential privacy problem!
Once the Pixel bug was published, it didn’t take long for security researchers to start testing other image editors, and soon enough two more problem tools were found — the Windows 11 Snipping Tool (not the Windows 10 one), and the Windows 10 Snip & Sketch app. Note that the venerable Paint app is not vulnerable 🙂
This bug appears to go back to the very origins of these tools, so any screenshot cropped on a Pixel phone or with the Windows Snip & Sketch or Snipping Tool is likely affected.
One silver lining to this pretty depressing cloud is that most social media sites re-encode the images users upload to reduce their file size and save themselves some money, and as luck would have it, that kind of re-encoding will ignore all data after the end-of-image marker in PNGs, removing the leaked data.
For similar reasons, a Save As rather than a simple Save will also work around the issue.
Google has patched their Pixel phones, and while Microsoft have fixed their tools, they’re not proactively pushing the patches via software update, so users need to manually update the apps via the Microsoft store. If you use any of these tools to crop screenshots, _’_patchy-patchy-patch-patch’* 🙂
Links
- Google Pixel phones had a serious data leakage bug – here’s what to do! — nakedsecurity.sophos.com/… (a great explanation with a run retro analogy)
- Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store — nakedsecurity.sophos.com/…
❗ Action Alerts
- Apple have patched their legacy Mac & iPhone/iPad OSes to address critical bugs, including a zero-day bug in WebKit — appleinsider.com/… & www.cultofmac.com/…
Notable News
- Starting April 1, all a Twitter blue checkmark will mean is the user is paid — appleinsider.com/…
- 🇬🇧 Cops use fake DDoS services to take aim at wannabe cybercriminals — nakedsecurity.sophos.com/… & UK Sets Up Fake Booter Sites To Muddy DDoS Market — krebsonsecurity.com/…
- Wozniak, Musk and leading researchers urge pause on ‘out of control’ AI — www.cultofmac.com/…
- Related: A timely reminder that AI chatbots hallucinate — Google’s Bard rather embarrassingly wrongly told a Microsoft Bing engineer that it was trained on Gmail data — appleinsider.com/…
Interesting Insights
- 🎧 A deep conversation with the CEO of Mastodon that gives a good insight into the way the platform is being designed, developed, and run: Decoder with Nilay Patel: Can Mastodon seize the moment from Twitter? — overcast.fm/…
Just Because it’s Cool 😎
Researchers at the Ruhr University Bochum* and the Max Planck Institute for Security and Privacy have released details of an algorithm they developed to find hardware changes in printed silicon chips. This could prove a very valuable weapon in protecting organisations from supply-chain attacks — www.hackster.io/… (via the NosillaCast community)
Palate Cleansers
- The best tribute I read: In Memoriam – Gordon Moore, who put the more in “Moore’s Law” — nakedsecurity.sophos.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |