Today, I would like to discuss the security vulnerability known as aCropalypse, or CVE-2023-21036. This problem mainly affects Google Pixel smartphone users who frequently crop their photos. The vulnerability allows data recovery from truncated PNG files, which may lead to the restoration of personal information deleted from images, including postal addresses or bank details. This could potentially be disturbing or even fascinating for some.
To illustrate this issue, let’s consider a scenario where you take a screenshot of an email that contains your personal address, and then crop the image to display only the product details while hiding your personal information. With the CVE-2023-21036 vulnerability, it is possible for a hacker to recover the deleted portion of the image and access your personal address.
So, how does this vulnerability work?
Essentially, the flaw takes advantage of the way PNG files are compressed with the zlib compression algorithm. Normally, it’s very difficult to decompress compressed data without knowing the specific Huffman tree used for the compression. However, in the case of this security flaw, it becomes possible to decompress the data by finding the start of a Huffman coding block. The process is relatively straightforward: the algorithm scans each binary offset, and when it finds the start of a Huffman block, it attempts to decompress the data from that point. If successful, it can recover any truncated data in the PNG file.
for each bit-offset: if it doesn't look like the start of a dynamic huffman block: skip this offset kotlin try decompressing from that offset: if the decompressed data looks plausible: return decompressed data! catch decompression errors: continue
And that’s how you recover erased data from PNGs.
This vulnerability is due to an API issue at Google, where the “w” (write) option was used instead of “wt” (write with truncation). As a result, the original image is not truncated when it is cropped.
In short, if the “crop” function you use in your favorite software goes through Google’s API, be vigilant until this problem is fixed.