You might think that hiding sensitive information in a picture is a cakewalk. Just blot out your secrets with a big black marker in any image editor. Or even better: just crop the bit of the photo or screenshot that contains your personal data. What could possibly go wrong?
Quite a lot, in fact. Weâve already posted about how not to hide information in images and how not to retouch pictures embedded in documents. But a recent study shows that you can still come a cropper, so to speak, even if you take just about every conceivable precaution â and all due to a bug related to image processing. Letâs take a closer look at how two standard image-editing tools â one on Google Pixel and the other in Windows 11 â can reveal supposedly hidden information in images.
How to recover hidden information in screenshots edited on Google Pixel
It all started when security researchers Simon Aarons and David Buchanan discovered a vulnerability they named Acropalypse: it turns out that Markup, the Google Pixel built-in image editor, saves edited PNG files in a way that lets them be fully or partially recovered.
When processing PNG images, instead of saving a completely new PNG file, Markup overwrites the old one in a very peculiar way. If you crop a picture, its size in bytes compared to the original decreases, of course. The same thing happens if you paint over part of an image with a single color â thanks to the compression algorithms that are very good at packing solid-colored areas. But the file saved after editing in Markup has the same size as the original: the app simply overwrites the new data on top of the old, leaving a âtailâ of the initial image data in the file. And with the help of a tool created by the researchers (available online), itâs possible to partially restore the original.
Hereâs how the researchers themselves illustrate whatâs going on:
Note, though, that the screenshot used as the example here is both redacted AND cropped. Thus, importantly, the resulting image is significantly smaller than the original. After the edited version is saved on top of the original, thereâs a lot of non-overwritten data at the end of the file that can be recovered. And the fully unrestored or badly-restored area â the top third of the resulting picture â just so happens to contain nothing important.
So the researchersâ demonstration should be taken as an ideal case: in real life, the success of the tool will almost certainly be lower, and the result will largely depend on the circumstances. But that doesnât mean the problem can be ignored â this vulnerability is nothing if not very unpleasant.
It affects the following Google smartphones (highlighted are models that are no longer supported and will probably not get updates):
- Google Pixel 3, 3 XL, 3a, 3a XL
- Google Pixel 4, 4 XL, 4a, 4a(5G)
- Google Pixel 5, 5a
- Google Pixel 6, 6 Pro, 6a
- Google Pixel 7, 7 Pro
In addition to its colloquial name, Acropalypse, the vulnerability was designated CVE-2023-21036. It has already been patched in the March Android update for the Pixel smartphones. Alas, the update is powerless to fix old edited screenshots that have already been published or otherwise shared.
How to recover hidden information in screenshots edited in Windows 11
After Aarons and Buchanan posted their findings on Twitter, other researchers took up the cause. Logically assuming that other image-editing tools might use the same flawed mechanism for overwriting PNG files, they began to look for new vulnerable applications. And they found them, of course: a similar bug was detected in Snipping Tool, a screenshot utility in Windows 11.
Windows 11 Snipping Tool has exactly the same problem: the app overwrites edited PNG files on top of the original, and when the new file is smaller, some data from the original remains at the end of the file, from which the uncut image can be partially reconstructed.
See this article on BleepingComputer for more details:
Although in this case a smaller part of the original image was restored, the result is still impressive. Note that the problem seems to be confined only to Snipping Tool and only to the Windows 11 version. So users of earlier versions of Windows, or those who prefer to edit screenshots in Paint or a full-fledged graphics editor like Photoshop, arenât affected.
The vulnerability in Windows 11 Snipping Tool remains unclosed. But, again, even when an update arrives, it wonât fix the problem with screenshots that are already out there.
What to do?
If you use Windows 11 Snipping Tool, or have a Google Pixel smartphone (gen 3â7), and youâve posted cropped or edited screenshots with passwords somewhere, consider those passwords compromised: change them immediately. Sure, you might struggle to remember every such instance, and in any case thereâs nothing much you can do about it: there do exist Python scripts and YARA rules for finding and treating such PNG images, but these are only for techies.
On a final note, here are some tips on how to safely retouch images with sensitive data that you plan to post online or send to someone you donât know if you can fully trust:
- If you prefer to hide your secrets by painting over them or filling the area with solid color, make sure that the opacity is set to 100%.
- If you opt for pixelating or smearing, bear in mind that this operation is reversible.
- If youâre cropping, save the image to a new file â preferably using Photoshopâs Save for Web tool or an equivalent: such a tool will definitely slice off the unwanted part of the file for the sake of optimization.
Lastly, before posting a picture that could spill a bean or two, ask yourself: is posting it really necessary?
Source: kaspersky.com