For several days, the web has been buzzing with horror at a strange security flaw affecting Windows and Pixel smartphones. But if the vulnerability does exist, there is very little risk of it doing any damage…
If you follow the news on the Net and social networks, you may have heard alarmist talk about Acropalypse – also called aCropalypse according to the authors – a strange security flaw that would affect both the Pixel smartphones of Google and Windows, in its versions 10 and 11. Discovered recently by researchers specializing in cybersecurity, this vulnerability would allow hackers to easily recover confidential user data, and thereby carry out all sorts of malicious actions (identity theft, theft of bank details, etc.) In short, the usual panoply of dangers that threaten our digital lives and that still cause fear in the cottages, according to an ancestral recipe for selling paper or the click But what is it exactly and what is the real risk?
It all started with an alert launched by Simon Aarons and David Buchanan, two security experts, who detected a vulnerability in Google smartphones in January 2023. Baptized Acropalypse, referenced under the sweet name of CVE-2023-21036 according to the nomenclature in use, and immediately reported to the Mountain View giant, as it should be, this flaw would make it possible to find information deleted in screenshots taken with the pixels. More exactly, it would be possible to cancel a posteriori retouching carried out on these images and thus revealing modified portions, and intended, in particular, to hide private information (names, telephone numbers, email addresses, bank details, etc.). The kind of particularly sensitive private data that it is better not to expose to everyone’s eyes, when you share a screenshot on social networks, on a discussion forum, in a blog or in an email…
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
—Simon Aarons (@ItsSimonTime) March 17, 2023
Very curiously, on March 21, 2023, a few days after Simon Aarons revealed the problem on Twitter, a certain Christian Blume reported the same fault in Windows, as reported Engadget. More specifically, in screenshots taken with Snipping Tool, the screen capture tool delivered as standard in Windows 10 and 11. Again, it would be possible to find the original image – and therefore the information deliberately hidden – in a capture made and retouched with the software. Panic on board! To the point that Microsoft, informed of the situation, hastened to correct the problem by distributing new versions of the famous tool – renamed Tool capture screen in the French editions – numbered 11.2302.20.0 in Windows and 10.2008.3001.0 in Windows 11. “We have released a security update for these tools via CVE-2023-28303. We recommend that customers apply the update”, Microsoft said, acknowledging the existence of the concern. Phew!
Acropalypse: a very difficult flaw to exploit
But here it is: on closer inspection, is this problem as serious as it is said? Not really. To the point that even Microsoft describes the flaw as “low severity”. Indeed, whether on Pixel phones or Windows PCs, this vulnerability only affects captures made and edited with the tool integrated into the system. And therefore not those which are carried out and/or modified afterwards with another software. In addition, in the case of Windows, only images saved in the same location as the original and with the same name can be exploited by hackers, provided they are obviously publicly accessible. Moreover, it would seem that only PNG files – a format that allows transparency, and therefore the persistence of graphic information masked by retouching – is really exploitable, even if the researchers claim that the problem also concerns Jpeg images, which seems surprising. Finally, still according to the experts who have looked into the matter, all the hidden information would not be recoverable.
In short, if we take stock, we must meet many conditions to possibly risk being stolen some confidential information. Especially since the problem would only affect “raw” images, before they are published on social networks, which generally carry out processing – compression, change of format, cropping… – to lighten them. Clearly, even if the problem is not new and a few old captures lying around here and there with recoverable data, the risk seems infinitesimal. You know a lot of people who take screenshots on Pixels – no offense to Google, these smartphones are less common than iPhones or Galaxys… – or with the Windows tool, who modify them with the integrated tool without changing their name, location or format, and who publishes them as is? We’re looking… Was it reasonable to cry wolf?