Tuesday, March 21, 2023

Recovering Cropped Parts of Google Pixel Screenshots

Simon Aarons (via Hacker News):

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.

David Buchanan (via Hacker News):

Google was passing "w" to a call to parseMode(), when they should've been passing "wt" (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass "w". Not only that, but previous Android releases had parseMode("w") truncate by default too! This change wasn't even documented until some time after the aforementioned bug report was made.

The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.

This reminds me of the old Microsoft Word issue where if you had it set to “fast save” it would leave deleted text in the file. Sometimes there even seemed to be chunks of unzeroed content from other apps’ deleted files.

I found that the data was indeed compressed using dynamic Huffman coding, but that the Huffman tree was re-specified every ~16KB or so. This was excellent news because it meant I didn’t have to solve the “Huffman coding cryptanalysis” problem, and could instead solve the much simpler-in-practice problem of “find the start of a dynamic-Huffman-coded zlib block”.


Although I’m currently an iPhone user, I used to use a Pixel 3XL. I’m also a heavy Discord user, and in the past I’d shared plenty of cropped screenshots through the Discord app.

I wrote a script to scrape my own message history to look for vulnerable images. There were lots of them, although most didn’t leak any particularly private information.


Very simple script to check which PNG files have trailing data.

I hope that people who host forums, image boards, chat applications, etc., will delete or fix potentially vulnerable images before anyone uses them maliciously.

One way to repair a vulnerable image is to use optipng -fix.


These types of issues are exactly why whenever it’s sensitive, I screenshot, crop/edit, then screenshot the crop’d/edited screenshot. There’s other possible issues than this bug (like iOS’s non-destructive edits by default), so it’s better to be safe than sorry.

Nick Heer:

There are some people in the replies to Aarons’ tweet claiming the same is true for cropped iPhone screenshots. In my testing, that is not exactly right: if you crop an iPhone screenshot and then share it with default sharing options, it does not transmit edit history or removed image data, as best as I can tell. When I AirDropped a cropped screenshot to myself, it sent a re-encoded JPG image instead of the HEIF original. In the iOS Share sheet, there is an “Options” button; if you want, you can toggle the switch to “include all photos data” which includes “edit history and metadata”, including image data removed via cropping. This option is off by default.


2 Comments RSS · Twitter · Mastodon

Was going to say Nick Heer said what Marcos has already posted…

UPDATE: It appears screenshots cropped with Windows 11’s Snipping Tool are also vulnerable.

Leave a Comment