Skip to the main content.

2 min read

Acropalypse Now: New Bug and Zero-Day Discovered in Multiple Image Editing Products

Acropalypse Now: New Bug and Zero-Day Discovered in Multiple Image Editing Products

Bottom Line Up Front (BLUF)

Cropped screenshots on affected software leave behind image data that can be recovered, potentially revealing uncropped screenshot context.

Vulnerability

Google Pixel’s Markup tool (CVE-2023-21036, a.k.a. Acropalypse) was discovered in January 2023 and was patched on March 13, 2023.

Separate but similar vulnerability in Microsoft Snipping Tool and Snip & Sketch discovered on March 21, 2023.

Affected Products

Google Pixel’s Markup Tool (Pixel 3 – Pixel 7 Pro)

Microsoft Snipping Tool on Windows 11, Microsoft Snip & Sketch on Windows 10 [8]

Remediation

Google Pixel Markup Tool – March 2023 Android Security Update [1]. It should be noted that any picture cropped by the unpatched Markup tool in the last 5 years was vulnerable.  This patch does not retroactively go through old photos to fix the issue.  However, 3rd party tools are available to identify and sanitize vulnerable images [2][3].

Windows Snipping Tool – Microsoft is actively testing a patched version of the Windows 11 software and has made a version available to Windows Insiders in the Canary channel (early release & testing builds) in the Microsoft Store as of March 23 [7].  It is anticipated that a formal patch will be released in the near future.

Background

Acropalypse (CVE-2023-21036) – The Acropalypse bug was initially reported to Google in January 2023 and was fixed in the monthly security update released on March 13, 2023.  The vulnerability stems from the fact that when an image is cropped using the Markup tool, all of the data from the original image is not deleted and simply resides at the tail of the file [4].

There are two parts for this vulnerability to work. The first part is that the PNG image needs to be compressed in a certain way [5]. The second part is that the original file must be larger than the cropped image that is saved over it. As shown in the visual below, this is because the original image’s size is not updated, and the newly saved image only overwrites a part of that file.

Visual representation of PNG data from 9to5Google
Fig. 1 – Visual representation of PNG data from 9to5Google [4]

Using proof-of-concept code such as the Acropalypse app website [3], vulnerable images can be uploaded, and any retrievable data from the original image file can be recovered. 

After the Acropalypse vulnerability became public, security researchers began looking to see if other software behaved in a similar way.  On March 21, David Buchanan tweeted his discovery [6] that the Windows 11 Snipping Tool is also vulnerable.  While this and the Acropalypse bug are separate vulnerabilities, the idea behind the issue is generally the same.  Using this software, any image that is saved, cropped, and then saved again (over the original image) is vulnerable.

PacketWatch has recommendations and best practices to mitigate potentially sensitive data exposure:

  • Ensure Pixel devices are fully up-to-date with the latest security patch.
  • Ensure systems and software receive regular patching.
  • Conduct a review to determine if these vulnerable tools were used for business processes.
  • As a best practice, avoid capturing or saving sensitive data in unapproved formats such as an image. 

References

[1] https://source.android.com/docs/security/bulletin/pixel/2023-03-01

[2] https://github.com/infobyte/CVE-2023-21036

[3] https://acropalypse.app/

[4] https://9to5google.com/2023/03/18/pixel-markup-screenshot-vulnerability/

[5] https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/

[6] https://twitter.com/David3141593/status/1638222624084951040

[7] https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-acropalypse-privacy-bug-in-windows-11-snipping-tool/

[8] Windows 10 Snipping Tool, Windows 10 Snip & Sketch, and Windows 11 Snipping tool are all similar but separate softwares

How PacketWatch Network Monitoring Foiled an Initial Access Broker

14 min read

How PacketWatch Network Monitoring Foiled an Initial Access Broker

On January 1, 2024, the PacketWatch team prevented a cyberattack by detecting early signs of malicious activity in a client's network. We uncovered...

Read More
Cyber Threat Intelligence Briefing - March 25, 2024

7 min read

Cyber Threat Intelligence Briefing - March 25, 2024

This week, we share a new tactic from DarkGate to look out for and a vulnerability roundup.

Read More
Cyber Threat Intelligence Briefing - March 11, 2024

9 min read

Cyber Threat Intelligence Briefing - March 11, 2024

This week, we cover lessons learned from the recent Microsoft Security and Midnight Blizzard statement, X's new feature's privacy risk, and a...

Read More