Security Bits Logo no alpha channel

Security Bits — 2 April 2023

Feedback & Followups

Deep Dive — Two aCropalypses

TL;DR — the markup tool on Google Pixel phones and the Snip and Sketch App in Windows 10 & Snipping Tool on Windows 11 left data behind after cropping PNGs that may allow the image to be un-cropped later, but the act of uploading to social media sites should inadvertently fix the problem.

Google’s Pixel phones offer a markup feature in their image editing app that’s not part of stock Android. If users used this feature to crop PNG images, they are at risk from a potentially privacy-destroying bug. This crop feature did visually remove the excess pixels, but under the hood, much of the original data was unintentionally preserved. This wasn’t intentional lossless editing or anything like that, this was a bug caused by poor file handling.

The markup tool did not create a new file for the edited version of the image, but simply saved the new data over the old data in the same file. Cropped images have less data than uncropped images, so this meant a chunk of the original data was left unchanged at the end of the file. Because the PNG format uses a special sequence to mark the end of the image data, the leftovers at the end of the file don’t cause any problems displaying the images. But, but that leftover data is still in PNG format, so it can easily be re-constructed and added back into the image, un-cropping it, and revealing whatever it is the user was trying to remove. PNG is a graphics format, so the camera won’t use it to save photos, but it is the preferred format for screenshots, so that’s where the biggest risk is. A very common reason to crop a screenshot is to remove information you don’t want to share, hence the potential privacy problem!

Once the Pixel bug was published, it didn’t take long for security researchers to start testing other image editors, and soon enough two more problem tools were found — the Windows 11 Snipping Tool (not the Windows 10 one), and the Windows 10 Snip & Sketch app. Note that the venerable Paint app is not vulnerable 🙂

This bug appears to go back to the very origins of these tools, so any screenshot cropped on a Pixel phone or with the Windows Snip & Sketch or Snipping Tool is likely affected.

One silver lining to this pretty depressing cloud is that most social media sites re-encode the images users upload to reduce their file size and save themselves some money, and as luck would have it, that kind of re-encoding will ignore all data after the end-of-image marker in PNGs, removing the leaked data.

For similar reasons, a Save As rather than a simple Save will also work around the issue.

Google has patched their Pixel phones, and while Microsoft have fixed their tools, they’re not proactively pushing the patches via software update, so users need to manually update the apps via the Microsoft store. If you use any of these tools to crop screenshots, _’_patchy-patchy-patch-patch’* 🙂

Links

❗ Action Alerts

Notable News

Interesting Insights

Just Because it’s Cool 😎

Researchers at the Ruhr University Bochum* and the Max Planck Institute for Security and Privacy have released details of an algorithm they developed to find hardware changes in printed silicon chips. This could prove a very valuable weapon in protecting organisations from supply-chain attacks — www.hackster.io/… (via the NosillaCast community)

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top