Post ATkyCiSmOKQ2leCXqa by tusooa@kazv.moe
(DIR) More posts by tusooa@kazv.moe
(DIR) Post #ATjsj7x8MarOCoVkH2 by delroth@mastodon.delroth.net
2023-03-18T10:19:37Z
22 likes, 50 repeats
CVE-2023-21036 / acropalypse is absolutely bonkers.Apparently for 5+ years the cropping / editing tools for screenshots on Google Pixel phones was only overwriting the start of the screenshot PNG file, but not truncating.All screenshots shared for the past 5+ years might have data recoverable from them. Demo available at https://acropalypse.app/Google still hasn't communicated anything on this.(h/t ItsSimonTime on Musk's site)
(DIR) Post #ATjsjBR1PvYB0NW9mC by delroth@mastodon.delroth.net
2023-03-18T10:21:11Z
0 likes, 0 repeats
I tried it on a screenshot from just a week ago. This is absolutely scary.First image is the screenshot I saved after cropping. Second is what the demo app managed to recover.
(DIR) Post #ATjsjDOy6X616aZXqy by delroth@mastodon.delroth.net
2023-03-18T10:24:01Z
0 likes, 0 repeats
Another one showing how a smaller crop can end up revealing even more of the original screenshot image.
(DIR) Post #ATju9QyANlpqfU6NVI by chrismckee@federate.social
2023-03-18T11:28:03Z
0 likes, 0 repeats
@delroth doesn't seem to work on ones that have been shared online though. I assume because nearly every site / app will re-encode as jpeg to save space
(DIR) Post #ATju9RdzsFIOlDfmhk by delroth@mastodon.delroth.net
2023-03-18T11:31:01Z
0 likes, 0 repeats
@chrismckee depends on the app, and the size of the file for some apps. Definitely wouldn't make that bet if I had cropped e.g. credit card info or sensitive personal info.Especially since PNGs don't usually have EXIF-style metadata so it's more common for apps to leave them alone.
(DIR) Post #ATju9SCNoOnkTrlFIm by chrismckee@federate.social
2023-03-18T11:33:40Z
0 likes, 0 repeats
@delroth twitter/Mastodon/Flickr re-encode. Facebook's passes through image resizer.It's pretty shit though; not like cropping images is some new coding problem ๐
(DIR) Post #ATju9SqRPSqOU6VEjw by chrismckee@federate.social
2023-03-18T11:34:36Z
0 likes, 0 repeats
@delroth happily Snapseed crops fine. Maybe they should have reused the code ๐
(DIR) Post #ATju9SywtpeKuUU208 by chrismckee@federate.social
2023-03-18T11:29:54Z
0 likes, 0 repeats
@delroth struggled to find one in my vastly (Jesus I need to clean that folder) overfilled screenshot folder. It's just saved the dead space
(DIR) Post #ATju9TWyrIs6c2PD2u by delroth@mastodon.delroth.net
2023-03-18T11:35:53Z
1 likes, 0 repeats
@chrismckee looking at the root cause it's hard to blame the cropping app / code itself, Android just fucked up file truncation with open mode "w". https://issuetracker.google.com/issues/180526528It's possible (likely?) that when the cropping was written and tested originally it didn't have that vuln at all.
(DIR) Post #ATkH4SeH0fmHNEOXOi by bdsl@social.vivaldi.net
2023-03-18T12:17:46Z
0 likes, 0 repeats
@delroth The most surprising thing to me is that it apparently took 5 years for anyone willing to publish to go looking for these pixels. Do we know what code module has the bug and whether it could be used anywhere else that isn't a Pixel phone?
(DIR) Post #ATkH4T7hFHJUqUA2G8 by ondra@social.unextro.net
2023-03-18T16:21:38Z
0 likes, 1 repeats
@bdsl @delroth The most suprising thing to me is that nobody noticed a cropped screenshot takes up exactly the same space as the original.I guess that's due to the tendency to hide the file system paradigm from users on the two dominant mobile operating systems.
(DIR) Post #ATkHqM2MtUBAljVCee by nekofag@rdrama.cc
2023-03-18T16:30:20.648890Z
1 likes, 0 repeats
@delroth child porn for fucking DAYS BITCH cc @pernia
(DIR) Post #ATkWgrtV5uGlzKHzPc by saiv46@c.im
2023-03-18T19:16:43Z
0 likes, 0 repeats
@chrismckee @delroth I want to point out that Mastodon does not re-encode media, but makes thumbnails. PNG stays PNG, JPEG stays JPEG.But this thing made my consider re-encode PNG files on instance into lossless WebP (also there's up to 30% size reduction)
(DIR) Post #ATkxTgtVNUq6s1ESsS by SuperSnekFriend@poa.st
2023-03-19T00:16:53.090458Z
1 likes, 1 repeats
@delroth Is this a programming mistake or a "programming mistake" at the behest of Google's overlords? :jahy_smug_stare:
(DIR) Post #ATkyCiSmOKQ2leCXqa by tusooa@kazv.moe
2023-03-19T00:24:51.483433Z
0 likes, 0 repeats
@shironeko https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3803 related?
(DIR) Post #ATm2mYgWomARqAwFiC by simonlbn@infosec.exchange
2023-03-18T10:35:48Z
1 likes, 0 repeats
@delroth Wow... that's incredible level of bad.I'm now sitting here wondering if it's really Pixel specific or not... and if other screenshot solutions suffer from a similar problem, or Google did something very silly...At least it seems like it has been fixed in the 2023 March update.... for future screenshots (presumably)...
(DIR) Post #ATm2oNVRLrRNkVcUcK by delroth@mastodon.delroth.net
2023-03-18T10:36:48Z
0 likes, 0 repeats
@simonlbn "future" indeed, since the 2023 March update isn't available publicly for Pixel 6 / 6 Pro at this point.Yes, despite the fact that Project Zero dropped 5 remotely exploitable vulns for those devices yesterday.
(DIR) Post #ATm2oNw1l0hx4y3j3g by flameeyes@mastodon.social
2023-03-18T10:38:54Z
1 likes, 0 repeats
@delroth @simonlbn you know things are bad when I trust my Huawei better than Google's flagship phones.
(DIR) Post #ATm2oOJQM1QIFX0PWi by delroth@mastodon.delroth.net
2023-03-18T10:40:51Z
0 likes, 0 repeats
@flameeyes @simonlbn at least your data mostly gets leaked to various companies and gov orgs in China, not your stalkers and random people online :-)(But really, having worked on projects close to Android security in the past - Huawei devices have had some absolutely bonkers backdoors.)
(DIR) Post #ATm2sd4zON99CvH62a by delroth@mastodon.delroth.net
2023-03-18T11:34:25Z
0 likes, 0 repeats
@NekoEd no idea -- another reason why it would be great if Google actually released information...I've only seen confirmation for Pixel screenshots. However the root cause of the vulnerability is a behavior change in AOSP which could potentially have similar effects for other apps (https://issuetracker.google.com/issues/180526528).
(DIR) Post #ATm3h58LMUQsh8twXo by marnanel@queer.party
2023-03-18T11:36:17Z
0 likes, 0 repeats
@delroth the people who run that site are going to be receiving an awful lot of other people's sensitive information
(DIR) Post #ATm3hKnJ8T73GXBMye by delroth@mastodon.delroth.net
2023-03-18T11:40:15Z
0 likes, 0 repeats
@marnanel it's all client side, nothing gets uploaded. At least in its current version I was using.
(DIR) Post #ATm3tbfqCgJT5kXeUa by delroth@mastodon.delroth.net
2023-03-18T13:39:06Z
0 likes, 0 repeats
PoC author @retr0id published his writeup about how the bug was found, I strongly encourage you to give it a read and a follow: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
(DIR) Post #ATm3ui6Rmm03JxVrP6 by ollibaba@chaos.social
2023-03-18T13:43:14Z
0 likes, 0 repeats
@delroth That sounds a bit like the challenge from Underhanded C Contest 2008 (http://www.underhanded-c.org/_page_id_17.html):> write a short, simple C program that redacts (blocks out) rectangles in an image.> The challenge: write the code so that the redacted data is not really gone.
(DIR) Post #ATm3vICNaC8TGmZ6eG by delroth@mastodon.delroth.net
2023-03-18T13:44:17Z
0 likes, 0 repeats
@ollibaba should retroactively give the crown to the Pixel team
(DIR) Post #ATm48EnJYEDMTa0vZ2 by frostyfrog@vtubers.site
2023-03-18T16:18:08.196152Z
0 likes, 0 repeats
@delroth decided to give it a try myself. First two images are before and after with an old screenshot. Tried a newer screenshot from yesterday and got this message instead.
(DIR) Post #ATm4EF4XQn1n4ivw3c by protofoxriley@tech.lgbt
2023-03-18T18:13:32Z
0 likes, 0 repeats
@delroth right as i get a pixel 6a, GDI
(DIR) Post #ATm4EFr6WDsNVLeiky by delroth@mastodon.delroth.net
2023-03-18T18:17:53Z
0 likes, 0 repeats
@protofoxriley heh, at least you don't have 5 years of potential leaks to think about...
(DIR) Post #ATnJ9xirgg7gZwAnQ0 by pernia@cum.salon
2023-03-20T03:21:09.433208Z
3 likes, 2 repeats
@nekofag @delroth :suicide: not my fucking cunny pictures FUCK JEWGLE FUCK GRPAHMEME THEY FUCKED ME
(DIR) Post #AToBOazjrlZRxSUaum by shironeko@fedi.tesaguri.club
2023-03-20T13:36:50.417059Z
0 likes, 0 repeats
@tusooa @delroth I don't think so, at least not for the image I found it on. The error was with EXIF tag data after the image data.Though if exiftool properly catches such error then it's probably a good idea to have it strip it or have pleroma warn loudly about it.
(DIR) Post #ATuhALKdfOC8o9H8s4 by mangeurdenuage@shitposter.club
2023-03-23T17:01:12.823682Z
0 likes, 3 repeats
@delroth >All screenshots shared for the past 5+ years might have data recoverable from them.
(DIR) Post #ATuhCiK1A42ign7DoO by PhenomX6@fedi.pawlicker.com
2023-03-23T17:01:37.704642Z
1 likes, 0 repeats
@delroth good thing I don't use pixels
(DIR) Post #ATuiKoROOYG7wBzTgO by coldacid@noagendasocial.com
2023-03-23T17:14:18Z
1 likes, 0 repeats
@mangeurdenuage @delroth @graf we need more rms happening macros
(DIR) Post #ATuiUoiWDsLrgqluSG by APPTeOORuzvlGOetVY.verita84@poster.place
2023-03-23T17:16:07.803460Z
2 likes, 0 repeats
@retr0id @delroth Whatโs PoC?
(DIR) Post #ATuidVYuoFvyt9QLom by ChristiJunior@detroitriotcity.com
2023-03-23T17:17:41.846913Z
3 likes, 0 repeats
@verita84 @delroth @retr0id Person of Crime
(DIR) Post #ATujQ008wNpJC5HXay by captain_arepa@moar.cachapa.xyz
2023-03-23T17:26:26.126Z
1 likes, 0 repeats
@verita84@poster.place @retr0id@retr0.id @delroth@mastodon.delroth.net Proof of Concept
(DIR) Post #ATuk5SAH8OyqPjmvC4 by APPTeOORuzvlGOetVY.verita84@poster.place
2023-03-23T17:33:57.327963Z
1 likes, 0 repeats
@ChristiJunior @delroth @retr0id That statement disproportionately targets people of color :pepe_cheers:
(DIR) Post #ATuk84eL1HHkLt6DXk by ChristiJunior@detroitriotcity.com
2023-03-23T17:34:25.540463Z
2 likes, 0 repeats
@verita84 @delroth @retr0id Niggers aren't people tho.
(DIR) Post #ATukDu07WYD13z4D7A by APPTeOORuzvlGOetVY.verita84@poster.place
2023-03-23T17:35:28.959274Z
1 likes, 0 repeats
@ChristiJunior @delroth @retr0id When the bleach and Dawn disappear, they may one day become people.
(DIR) Post #ATumLXiGTRdyABUCS8 by mangeurdenuage@shitposter.club
2023-03-23T17:59:15.624758Z
0 likes, 0 repeats
@coldacid @delroth @graf Agreed. We need AI under GPL to make us RMS Tans too.
(DIR) Post #ATumQxtYYaJyoVLxhY by coldacid@noagendasocial.com
2023-03-23T18:00:14Z
1 likes, 0 repeats
@mangeurdenuage @delroth @graf yes we need pictures of little loli RMS eating her own toe fungus
(DIR) Post #ATuoPVFXm2uhaf4ICW by Relected@shitposter.club
2023-03-23T18:22:23.633079Z
0 likes, 0 repeats
@delroth that's actually retarded as fuck coming from google of all places, I wouldn't be surprised if it was an indie Dev fault or yanderedev's fault, but fucking GOOGLE?!?
(DIR) Post #ATv1PzxissZAFQIc52 by Herman_Hetherington@poa.st
2023-03-23T20:40:39.588248Z
0 likes, 0 repeats
@mangeurdenuage @delroth I wonder if you were cropping nudity out of photos and someone were able to use one of these for revenge porn whether Google would have any liability.
(DIR) Post #ATv1Q0ZIdAck7xsceO by mangeurdenuage@shitposter.club
2023-03-23T20:48:07.700636Z
0 likes, 0 repeats
@Herman_Hetherington @delroth Anything is possible. As far as I can imaging I think all this data is fed to AIs for profiling.>whether Google would have any liability.That's a good question.Contractually speaking google has discharged itself from any responsibility via their EULAs or open source/permissive license and brands like samsung etc... do the same.