Google’s photo-editing tool, Markup, was introduced in 2018 and has since been the default tool on Google devices since. At the beginning of March, the company released a patch for its Pixel smartphones to fix a bug in Markup where the program would leave data in cropped images. The data left in the cropped images could allow most, or in some cases all of the original image to be reconstructed. The bug, dubbed “aCropalypse”, presents an issue because Google users were cropping and sharing images that may still have contained private or sensitive data that the user had intended on eliminating.

“aCropalypse” was discovered and submitted to Google by Simon Aarons, a Security Researcher and College Student. He collaborated with Reverse Engineer David Buchanan. As it turns out, the duo discovered that this type of bug was also occurring in Windows environments. The Microsoft version of the bug was occurring in the Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool.  It occurs when users took a screenshot, saved it, cropped it, and then resaved the file after the edit.

On Wednesday, March 22, Microsoft told WIRED that it was “aware of these reports”, was “investigating,” and that “we will take action as needed.”

“It was pretty mind-blowing really, it was as if lightning had just struck twice,” Buchanan said. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”

“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5MB file, and that didn’t seem right to me,” Aarons says.

Aside from the fact that the bug might allow people or places to be reconstructed into the image, there are other security implications that make this vulnerability such a big deal that the average person may not be thinking of at first thought.

Aarons provides an example of just how dangerous this bug can be, by explaining that he was able to recover his credit card number in a photo that he attempted to crop it out of. These types of situations can present a huge security risk, and the victim could be none-the-wiser.

Google and Microsoft have both released a patch for the bug.

Even Google’s patch isn’t a perfect fix however, as it doesn’t fix the problem with photos cropped in the years that Markup was vulnerable. However, the company does note that many of the sites that users would have likely shared these images to may have automatically stripped out the data in question.

“As part of their existing compression process, apps and websites that recompress images, like Twitter, Instagram, or Facebook, delete extra data automatically from images uploaded. Images posted to sites like these are not at risk,” Google spokesperson Ed Fernandez said in a statement.

It is important to note however, that not all social media sites adhere to compression techniques, so you can’t always trust that your images are going to be safe from the aCropalypse.

Story via WIRED