Acropalypse: a vulnerability in Google's screenshot editing tool (opens in new tab)

(twitter.com)

137 pointsPenguinRevolver3y ago44 comments

44 comments

For a hint at how the bug works, see this https://issuetracker.google.com/issues/180526528 (more details coming soon™)

From https://twitter.com/David3141593/status/1636979466860744704

Also: you [can] do a basic check with tools like exiftool - it will report "Warning: [minor] Trailer data after PNG IEND chunk" on vulnerable images.

From: https://twitter.com/David3141593/status/1636981307891671041

wffurr3y ago

I still can’t believe they changed the meaning of the “w” flag. I had never heard of the “wt” file mode. Does that exist on other POSIX systems?

acdha3y ago

That part is amazing: it calls into question the entire Android code review process that nobody thought breaking compatibility wasn’t a problem, much less doing so in a way which looks like one of the most familiar interfaces in the world. It seems unlikely that this isn’t just the first, most visible bug.

1 more reply

hedora3y ago

As bad (but on the png side, not the fs library side), if the app crashes mid crop, then this misuse of the posix API means the original image will be corrupted.

They should be doing a “mktemp; write; sync; rename”, which atomically and durably replaces the file in most linux file systems.

There might also be an exploitable race where you overwrite the file in place while it is being parsed, leading to undefined behavior in applications attempting to read the file.

progval3y ago

Python already uses the "t" character with a very different meaning: opening in text mode.

e4e53y ago

Nice write-up here: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse...

ZiiS3y ago

The fact this wasnt triaged as a security bug is unforgivable https://issuetracker.google.com/issues/180526528

ajross3y ago

> The fact this wasnt triaged as a security bug is unforgivable

Hyperbole like this is unhelpful. The reporter didn't think of it as a security bug, and the discussion in the bug itself is about API compatibility and documentation concerns.

Pretending in hindsight that we're all too smart to have ever missed this isn't helping software quality for anyone, and good postmortem analysis doesn't throw around words like "unforgivable".

omni3y ago

It casts serious doubt on the Android team as a steward of the platform if this was reviewed by multiple "product and engineering teams" and not a single person thought that fundamentally changing a filesystem API might have security (or at least data integrity!) repercussions. It doesn't seem like any follow-up analysis was done at all here, other than a "thanks for the fix." Hyperbole or not, that's a terrible response.

1 more reply

ZiiS3y ago

Individuals can miss anything, regardless of how smart they think they are. I ment the processes which failed to pick up this oversight where unforgivable.

eviks3y ago

What the reporter thought is irrelevant, he's not expected to know any better. The triaging team on the other hand is

stefan_3y ago

Who missed what? The bug tracker response suggests this was an intentional change. You are trying to whatabout it in a million ways but the reality is that, no, subtly changing the meaning of POSIX open modes is unhinged.

jsjohnst3y ago

These types of issues are exactly why whenever it’s sensitive, I screenshot, crop/edit, then screenshot the crop’d/edited screenshot. There’s other possible issues than this bug (like iOS’s non-destructive edits by default), so it’s better to be safe than sorry.

TacticalCoder3y ago

> These types of issues are exactly why whenever it’s sensitive, I screenshot, crop/edit, then screenshot the crop’d/edited screenshot.

Yeah I always do the same and I'm happy to see I'm not the only one. And a CVE like these shows that we're the ones "not seeing things".

xign3y ago

Redacting PDFs is similarly tricky. These days I use macOS Preview (they have a new-ish feature that explicitly allows for redacting) which works but I sometimes still open it in an editor to make sure the data isn't there lol.

dividuum3y ago

Wait. Wouldn’t that mean that cropped images have the same file size as the uncropped version? Nobody noticed that in all those years?

Retr0id3y ago

Correct! Or rather, nobody investigated deep enough. Frustratingly, I noticed at one point, and incorrectly concluded that fractional image scaling must've been worsening the compression ratio. I was only using my phone in the first place because I wasn't at a PC, so a deeper investigation wasn't really an option at the time.

PenguinRevolverOP3y ago

A demo is available here: https://acropalypse.app/

progbits3y ago

I tried a bunch of old screenshots and always got error. Is the demo broken or is this not always possible to recover?

nabakin3y ago

I've found that these conditions are needed on my Pixel 5:

1. Using the cropping tool given when taking the screenshot (using the Markup tool in any other way does not work for me)

2. You have to crop at least 2 sides

Also, I'm not able to recover the rest of the image once it is put through Discord.

1 more reply

Retr0id3y ago

The latter. (although the former is also plausible)

tyingq3y ago

I don't see any sort of background at all on how it's working. There's metadata in the image that helps reconstruct the original? Or something about how Discord does the attachment, or?

Ah, one commenter offered this:

"It looks like when the edits make the PNG smaller it saves the original number of bytes, overflowing its own buffer and leaving a bunch of unintended IDAT chunks to find :). Did you talk to Google about this before taking to twitter though?"

https://twitter.com/Bottersnike237/status/163689272301266534...

Retr0id3y ago

The quoted comment is pure speculation, by the way - there is no buffer overrun (at least, not in the traditional sense), they just forgot to truncate the original file on-disk before writing the cropped version.

wffurr3y ago

It wasn’t so much that they forgot but that Android 10 changed the meaning of the “w” file mode flag for open.

1 more reply

tyingq3y ago

Ah, makes sense...I see your other comment leading to more detail also. Thanks!

zoklet-enjoyer3y ago

I can crop screenshots with a Google screenshot app??? I always use Snapseed

tgsovlerkhgsel3y ago

Little detail on how this works. I initially thought it's based on thumbnails, but the high quality of the recovered image and the damage at the beginning makes me think it's something else.

kzrdude3y ago

Explanation here https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse...

Retr0id3y ago

tl;dr they open the original image without O_TRUNC, and write the cropped version into the same file.

This thread provides a good overview and some sample images https://mastodon.delroth.net/@delroth/110043776803548821

j / k navigate · click thread line to collapse

44 comments

hewtronic3y ago

For a hint at how the bug works, see this https://issuetracker.google.com/issues/180526528 (more details coming soon™)

From https://twitter.com/David3141593/status/1636979466860744704

Also: you [can] do a basic check with tools like exiftool - it will report "Warning: [minor] Trailer data after PNG IEND chunk" on vulnerable images.

From: https://twitter.com/David3141593/status/1636981307891671041

wffurr3y ago

I still can’t believe they changed the meaning of the “w” flag. I had never heard of the “wt” file mode. Does that exist on other POSIX systems?

acdha3y ago

1 more reply

hedora3y ago

As bad (but on the png side, not the fs library side), if the app crashes mid crop, then this misuse of the posix API means the original image will be corrupted.

They should be doing a “mktemp; write; sync; rename”, which atomically and durably replaces the file in most linux file systems.

There might also be an exploitable race where you overwrite the file in place while it is being parsed, leading to undefined behavior in applications attempting to read the file.

progval3y ago

Python already uses the "t" character with a very different meaning: opening in text mode.

e4e53y ago

Nice write-up here: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse...

ZiiS3y ago

The fact this wasnt triaged as a security bug is unforgivable https://issuetracker.google.com/issues/180526528

ajross3y ago

> The fact this wasnt triaged as a security bug is unforgivable

Hyperbole like this is unhelpful. The reporter didn't think of it as a security bug, and the discussion in the bug itself is about API compatibility and documentation concerns.

Pretending in hindsight that we're all too smart to have ever missed this isn't helping software quality for anyone, and good postmortem analysis doesn't throw around words like "unforgivable".

omni3y ago

1 more reply

ZiiS3y ago

Individuals can miss anything, regardless of how smart they think they are. I ment the processes which failed to pick up this oversight where unforgivable.

eviks3y ago

What the reporter thought is irrelevant, he's not expected to know any better. The triaging team on the other hand is

stefan_3y ago

jsjohnst3y ago

TacticalCoder3y ago

> These types of issues are exactly why whenever it’s sensitive, I screenshot, crop/edit, then screenshot the crop’d/edited screenshot.

Yeah I always do the same and I'm happy to see I'm not the only one. And a CVE like these shows that we're the ones "not seeing things".

xign3y ago

dividuum3y ago

Wait. Wouldn’t that mean that cropped images have the same file size as the uncropped version? Nobody noticed that in all those years?

Retr0id3y ago

PenguinRevolverOP3y ago

A demo is available here: https://acropalypse.app/

progbits3y ago

I tried a bunch of old screenshots and always got error. Is the demo broken or is this not always possible to recover?

nabakin3y ago

I've found that these conditions are needed on my Pixel 5:

1. Using the cropping tool given when taking the screenshot (using the Markup tool in any other way does not work for me)

2. You have to crop at least 2 sides

Also, I'm not able to recover the rest of the image once it is put through Discord.

1 more reply

Retr0id3y ago

The latter. (although the former is also plausible)

tyingq3y ago

I don't see any sort of background at all on how it's working. There's metadata in the image that helps reconstruct the original? Or something about how Discord does the attachment, or?

Ah, one commenter offered this:

https://twitter.com/Bottersnike237/status/163689272301266534...

Retr0id3y ago

wffurr3y ago

It wasn’t so much that they forgot but that Android 10 changed the meaning of the “w” file mode flag for open.

1 more reply

tyingq3y ago

Ah, makes sense...I see your other comment leading to more detail also. Thanks!

zoklet-enjoyer3y ago

I can crop screenshots with a Google screenshot app??? I always use Snapseed

tgsovlerkhgsel3y ago

Little detail on how this works. I initially thought it's based on thumbnails, but the high quality of the recovered image and the damage at the beginning makes me think it's something else.

kzrdude3y ago

Explanation here https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse...

Retr0id3y ago

tl;dr they open the original image without O_TRUNC, and write the cropped version into the same file.

This thread provides a good overview and some sample images https://mastodon.delroth.net/@delroth/110043776803548821

j / k navigate · click thread line to collapse