Markup, Google, and Markor: Detecting a Clopalypse-like Security Violation in the Screenshot Editing Utility
The private information users chose to conceal could be revealed due to a security flaw in the Markup screenshot editing utility, which can allow images to become partially unedited. The vulnerability, which was discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google but still has widespread implications for the edited screenshots shared prior to the update.
The example that was shown is a cropped image of a credit card which has the card number blocked out using the Markup tool. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top part of the image becomes corrupted, but he can still see the pieces that were edited out in Markup, including the credit card number. You can read more about the technical details of the flaw in Buchanan’s blog post.
The flaw is due to the fact that the original version of the service is kept in the same file location as the edited version. If the edited version of the screenshot is smaller than the original, “the trailing portion of the original file is left behind, after the new file is supposed to have ended.”
The FAQ page states that while certain sites, including Twitter, re-process the images posted on the platforms and strip them of the flaw, others, such as Discord, don’t. edited images shared to the platform before the exploit was patched could be at risk, as the exploit was only patched in a recent January 17th update. It’s still not clear whether there are any other affected sites or apps and if so, which ones they are.
This flaw was discovered just one week after the security team at Google found a vulnerability that could be exploited to compromise phones using a victim’s phone number. The issue has been fixed in the March update, but it isn’t yet available for the 6 Pro and 6A devices.
“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”
Researchers have discovered old discussions in programming forums where developers noticed odd behavior of the cropping tools after the vulnerabilities were made public. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.
At about 4 in the morning, I accidentally spotted that the white text I sent to friends was a 5 MB file, and that didn’t seem right to me.
Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. On some social media and communication services, images may be stripped of the data if they are shared.