When you take a screenshot on your phone, the phone saves the image to a file. If you then use certain tools to edit the image, the phone doesn’t actually overwrite the original file. Instead, it saves the changes to a new file and then links the original file to the new one. This means that if someone has access to the edited image, they can still recover parts of the original file by looking at the link between the two files.
This is a vulnerability because it means that someone could potentially recover sensitive information from an image that you thought you had deleted. For example, if you took a screenshot of a credit card number, someone could use the aCropalypse vulnerability to recover the credit card number even after you had deleted the screenshot.
It’s fairly common to see people sharing their passports, airline tickets, and other sensitive media and using these tools to blur content. Consider these potentially exposed.
What is affected?
The exploit only works for PNG files, but a similar vulnerability may exist in JPG files, which is the default for many platforms and would affect the largest number of users.
Currently this vulnerability applies to Google Pixel Markup, as well as the Windows 10 / 11 Snipping tool, but that is only what is known at this time. The severity of this exploit means that you should take extra precautions when cropping images and sharing.
Despite Google fixing the problem in the recent update for the Pixel phones, any images shared in the past five years are vulnerable to the Acropalypse attack, and nothing can be done to remediate this.
The issue of Pixel screenshots taken in the past four years remains unresolved, and they could contain hidden data that was not intended to be shared. Whether or not this data is exposed depends on the hosting platform. For instance, certain apps such as Twitter will compress uploaded files, thereby wiping any hidden data in the screenshot.
However, if the original file is shared instead, it’s possible for a third party to uncover the full image, even if it has been cropped. Discord is known to share original files, and other messaging apps may also behave in the same way.
Unfortunately, this means that if you shared any cropped images using the above-mentioned platforms, your full images can be recovered – and there is nothing you can do about images you have already sent.
How can you protect yourself?
To protect against this vulnerability, the following precautions can be taken.
1. Update your phone’s operating system to the latest version as soon as possible.
- Keep your Microsoft Windows 10/11 updated. Note that as of the writing of this article (28 March 2023), Microsoft has not yet released any protection patches or updates.
- Delete any cropped images with sensitive content from your device, as well as any cloud storage.
- Be careful when sharing any cropped images on any platform.
- Use a different editor to crop and save edited images. Canva is an excellent tool for this.