Microsoft fixes the vulnerability named ‘aCropalypse’
April 3, 2023
Cybersecurity scholars Simon Aarons and David Buchanan discover a high-severity vulnerability in the Pixel mobile screenshot editor, called Markup. This bug, named ‘aCropalypse’ allowed partial recovery of the original, unedited data from a cropped screenshot.
Update
Microsoft has released two emergency patches to fix the aCropalypse vulnerability in Windows 11 and Windows 10. Exploiting this vulnerability allows you to restore the original appearance of screenshots taken and edited with the Scissors tool. The developers reportedly started testing the fix a few days ago, shortly after the issue was made public.
Now, Microsoft has started patching to fix aCropalypse vulnerabilities in the Snipping app in Windows 11, as well as the Snip Sketch tool used in various variants of Windows 10. Users have the ability to skip the wait for that the update is downloaded by automatically downloading it themselves.
Microsoft offers users to install a patch to fix the aCropalypse vulnerability. This bug hurts Snip; Sketch on Windows 10 and Snipping Tool on Windows 11, and has a low CVSS score of 3.3, according to Microsoft, because it needs the customer relationship to exploit it. “The severity of this vulnerability is low as successful exploitation requires an unusual client relationship and various components outside of an attacker’s control,” the company’s advisory shows.
Hack Attack
For an attacker to exploit this bug, the client would have to have develope an image with specific conditions:
- Take a screenshot
- Save it to a document
- Edit it
- Save the modified document to the same location
- Open an image with the crop tool
- Edit it
- Save the modified document to the same location.
Thus, if a customer takes a screenshot of their bank statement, saves it to their desktop, and crops their account number before saving it to the same location, the cropped image could still contain their account number in a hidden format. A number that someone with access to the full image document could recover. However, if the customer replicates the Snipping Tool cropped image and pastes it into an email or file, the hidden data will not be copied and your account number will be safe.
Remember that the aCropalypse vulnerability was first found in the Android Markup app for Immediate Release of Images, which is available on Google Pixel smart phones. It ended up that when editing files in PNG format, it does not overwrite the entire document, which left the possibility of restoring the original image. This means that the information that the users of the mentioned application would hide by means of cuts or tweaks can be recovered. It is further implied that the aCropalypse vulnerability also harms the Scissors tool in the Windows operating system.
Conclusion
It ended up that attackers have the ability to recover images edited with Scissors, which could be quite cumbersome if users want to hide sensitive information. Now it is possible to install the official Microsoft patch to make the relationship with the Snipping tool more secure. If you notice an error, select it with the mouse and press CTRL + ENTER.
