Jump to content

ACropalypse: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
formatting fix
 
(11 intermediate revisions by 9 users not shown)
Line 10: Line 10:
| affected software = Markup, Snip & Sketch for Windows 10, and Snipping Tool for Windows 11
| affected software = Markup, Snip & Sketch for Windows 10, and Snipping Tool for Windows 11
}}
}}
'''aCropalypse''' ('''CVE 2023-21036''') was a vulnerability in Markup, a [[screenshot]] editing tool introduced in [[Google Pixel]] phones with the release of [[Android Pie]]. The vulnerability, discovered in 2023 by security researchers Simon Aarons and David Buchanan, allows an attacker to view an [[Cropping (image)|uncropped]] and unaltered version of a screenshot. Following aCropalypse's discovery, a similar [[zero-day (computing)|zero-day]]<ref>{{Cite web |url=https://arstechnica.com/information-technology/2023/03/windows-10-and-11-get-their-own-version-of-the-acropalypse-screenshot-bug/ |title="Acropalypse" Android screenshot bug turns into a 0-day Windows vulnerability vulnerability |date=March 22, 2023 |last=Cunningham |first=Andrew |work=[[Ars Technica]] |access-date=March 23, 2023}}</ref> vulnerability was also discovered, affecting [[Snip & Sketch]] for [[Windows 10]] and [[Snipping Tool]] for [[Windows 11]].
'''aCropalypse''' ('''CVE-2023-21036''') was a vulnerability in Markup, a [[screenshot]] editing tool introduced in [[Google Pixel]] phones with the release of [[Android Pie]]. The vulnerability, discovered in 2023 by security researchers Simon Aarons and David Buchanan, allows an attacker to view an [[Cropping (image)|uncropped]] and unaltered version of a screenshot. Following aCropalypse's discovery, a similar [[zero-day (computing)|zero-day]]<ref>{{Cite web |url=https://arstechnica.com/information-technology/2023/03/windows-10-and-11-get-their-own-version-of-the-acropalypse-screenshot-bug/ |title="Acropalypse" Android screenshot bug turns into a 0-day Windows vulnerability vulnerability |date=March 22, 2023 |last=Cunningham |first=Andrew |work=[[Ars Technica]] |access-date=March 23, 2023}}</ref> vulnerability was also discovered, affecting [[Snip & Sketch]] for [[Windows 10]] and [[Snipping Tool]] for [[Windows 11]].


==Background==
==Background==
Line 17: Line 17:


==Discovery and usage==
==Discovery and usage==
aCropalypse was discovered by Simon Aarons and David Buchanan, two security researchers.<ref name="AndroidPoliceInfo"/> Aarons reportedly discovered the bug when he noticed that the file size for a screenshot he took of white text on a black background was abnormally large.<ref>{{Cite web |url=https://www.wired.com/story/acropalyse-google-markup-windows-photo-cropping-bug/ |title=Some Photo-Cropping Apps Are Exposing Your Secrets |date=March 22, 2023 |last=Hay Newman |first=Lily |work=[[Wired (magazine)|Wired]] |access-date=March 22, 2023}}</ref> A website was created where users can submit cropped or altered images to reveal the original.<ref name="TheVergeInfo">{{Cite web |url=https://www.theverge.com/2023/3/19/23647120/google-pixel-acropalypse-exploit-cropped-screenshots |title=Google Pixel exploit reverses edited parts of screenshots |date=March 19, 2023 |last=Roth |first=Emma |work=[[The Verge]] |access-date=March 21, 2023}}</ref>
aCropalypse was discovered by Simon Aarons and David Buchanan, two security researchers.<ref name="AndroidPoliceInfo"/> It had previously been submitted to Google's issue tracker by Lucy Phipps on August 11, 2022.<ref>{{Cite web |url=https://issuetracker.google.com/issues/241936678 |title=builtin screenshot cropping tool writes junk data |date=August 11, 2022 |access-date=March 29, 2023}}</ref> Aarons reportedly discovered the bug when he noticed that the file size for a screenshot he took of white text on a black background was abnormally large.<ref>{{Cite magazine |url=https://www.wired.com/story/acropalyse-google-markup-windows-photo-cropping-bug/ |title=Some Photo-Cropping Apps Are Exposing Your Secrets |date=March 22, 2023 |last=Hay Newman |first=Lily |magazine=[[Wired (magazine)|Wired]] |access-date=March 22, 2023}}</ref> A website was created where users can submit cropped or altered images to reveal the original.<ref name="TheVergeInfo">{{Cite web |url=https://www.theverge.com/2023/3/19/23647120/google-pixel-acropalypse-exploit-cropped-screenshots |title=Google Pixel exploit reverses edited parts of screenshots |date=March 19, 2023 |last=Roth |first=Emma |work=[[The Verge]] |access-date=March 21, 2023}}</ref>


==Behavior==
==Behavior==
aCropalypse exploits a vulnerability within Markup. Upon saving a cropped screenshot in Markup, the altered image is saved in the same location as the original image.<ref name="9to5Info">{{Cite web |url=https://9to5google.com/2023/03/18/pixel-markup-screenshot-vulnerability/ |title=Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update |date=March 18, 2023 |last=Li |first=Abner |work=9to5Google |access-date=March 21, 2023}}</ref> The image is created using the {{Java|ParcelFileDescriptor.open()}} function; the function is called using the {{Java|"w"}} argument to {{Java|ParcelFileDescriptor.parseMode()}}, representing "write", when {{Java|"wt"}} should have been passed instead, truncating the original image.<ref name="BuchananWriteup">{{Cite web |url=https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html |title=Exploiting aCropalypse: Recovering Truncated PNGs |date=March 18, 2023 |last=Buchanan |first=David |access-date=March 21, 2023}}</ref> Although the image is not created using {{Java|ParcelFileDescriptor.parseMode()}}, but rather {{Java|ParcelFileDescriptor.open()}}, the former converts an argument into a [[bitmask]] for the latter.<ref>{{Cite web |url=https://www.theregister.com/2023/03/20/google_pixel_acropalypse/ |title=Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered |date=March 20, 2023 |last=Vigliarolo |first=Brandon |work=[[The Register]] |access-date=March 21, 2023}}</ref> In similar functions, such as the [[C (programming language)|C]] function <code>[[fopen]]</code>, using the {{C-lang|"w"}} argument will automatically truncate the file to zero length.<ref>{{Cite web |url=https://man7.org/linux/man-pages/man3/fopen.3.html |title=fopen(3) |date=March 22, 2021 |publisher=Linux manual |access-date=March 21, 2023}}</ref> The use of {{Java|"w"}} was implemented in [[Android 10]] as an undocumented<ref>{{Cite web |url=https://arstechnica.com/gadgets/2023/03/google-pixel-bug-lets-you-uncrop-the-last-four-years-of-screenshots/ |title=Google Pixel bug lets you "uncrop" the last four years of screenshots |date=March 20, 2023 |last=Amadeo |first=Ron |work=[[Ars Technica]] |access-date=March 21, 2023}}</ref> change.<ref name="AndroidPoliceInfo">{{Cite web |url=https://www.androidpolice.com/android-pixel-markup-exploit-discord-acropalypse/ |title=Severe exploit could expose sensitive data on Pixel screenshots previously cropped |date=March 18, 2023 |last=Wang |first=Jules |work=Android Police |access-date=March 21, 2023}}</ref>
aCropalypse exploits a vulnerability within Markup. Upon saving a cropped screenshot in Markup, the altered image is saved in the same location as the original image.<ref name="9to5Info">{{Cite web |url=https://9to5google.com/2023/03/18/pixel-markup-screenshot-vulnerability/ |title=Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update |date=March 18, 2023 |last=Li |first=Abner |work=[[9to5Google]] |access-date=March 21, 2023}}</ref> The image is created using the {{Java|ParcelFileDescriptor.open()}} function; the function is called using the {{Java|"w"}} argument to {{Java|ParcelFileDescriptor.parseMode()}}, representing "write", when {{Java|"wt"}} should have been passed instead, truncating the original image.<ref name="BuchananWriteup">{{Cite web |url=https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html |title=Exploiting aCropalypse: Recovering Truncated PNGs |date=March 18, 2023 |last=Buchanan |first=David |access-date=March 21, 2023}}</ref> Although the image is not created using {{Java|ParcelFileDescriptor.parseMode()}}, but rather {{Java|ParcelFileDescriptor.open()}}, the former converts an argument into a [[bitmask]] for the latter.<ref>{{Cite web |url=https://www.theregister.com/2023/03/20/google_pixel_acropalypse/ |title=Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered |date=March 20, 2023 |last=Vigliarolo |first=Brandon |work=[[The Register]] |access-date=March 21, 2023}}</ref> In similar functions, such as the [[C (programming language)|C]] function <code>[[fopen]]</code>, using the {{C-lang|"w"}} argument will automatically truncate the file to zero length.<ref>{{Cite web |url=https://man7.org/linux/man-pages/man3/fopen.3.html |title=fopen(3) |date=March 22, 2021 |publisher=Linux manual |access-date=March 21, 2023}}</ref> The use of {{Java|"w"}} was implemented in [[Android 10]] as an undocumented<ref>{{Cite web |url=https://arstechnica.com/gadgets/2023/03/google-pixel-bug-lets-you-uncrop-the-last-four-years-of-screenshots/ |title=Google Pixel bug lets you "uncrop" the last four years of screenshots |date=March 20, 2023 |last=Amadeo |first=Ron |work=[[Ars Technica]] |access-date=March 21, 2023}}</ref> change.<ref name="AndroidPoliceInfo">{{Cite web |url=https://www.androidpolice.com/android-pixel-markup-exploit-discord-acropalypse/ |title=Severe exploit could expose sensitive data on Pixel screenshots previously cropped |date=March 18, 2023 |last=Wang |first=Jules |work=Android Police |access-date=March 21, 2023}}</ref>


Markup uses [[zlib]], a compression library that utilizes [[deflate]] compression, itself based on the lossless data compression algorithms [[LZ77 and LZ78]], where each bit of data references the last, and dynamic [[Huffman coding]], where a Huffman tree is defined at the start of the block. The Huffman tree in Markup screenshots are respecified every 16 bits. The initial exploit for aCropalypse precomputed a list of 8 [[bytestring]]s and passed them to zlib, in order to start from a specific bit offset. Additionally, the initial exploit prefixed the image stream with 32 KB of the [[ASCII]] character "X".<ref name="BuchananWriteup"/>
Markup uses [[zlib]], a compression library that utilizes [[deflate]] compression, itself based on the lossless data compression algorithms [[LZ77 and LZ78]], where each bit of data references the last, and dynamic [[Huffman coding]], where a Huffman tree is defined at the start of the block. The Huffman tree in Markup screenshots are respecified every 16 kilobytes. The initial exploit for aCropalypse precomputed a list of 8 [[bytestring]]s and passed them to zlib, in order to start from a specific bit offset. Additionally, the initial exploit prefixed the image stream with 32 KB of the [[ASCII]] character "X".<ref name="BuchananWriteup"/>


==Mitigation==
==Mitigation==
An internal patch for aCropalypse was finalized on January 24, 2023,<ref name="AndroidPoliceInfo"/> although a fix only began rolling out in a security patch<ref name="9to5Info"/> released on March 13, 2023.<ref>{{Cite web |url=https://9to5google.com/2023/03/13/android-13-qpr2-pixel-feature-drop/ |title=March Pixel Feature Drop with Android 13 QPR2 now rolling out |date=March 13, 2023 |last=Li |first=Abner |work=9to5Google |access-date=March 21, 2023}}</ref> Certain social media sites, including [[Twitter]], automatically truncate uploaded images, although others do not. One such site, [[Discord]], did not mitigate the vulnerability until January 24.<ref name="TheVergeInfo"/>
An internal patch for aCropalypse was finalized on January 24, 2023,<ref name="AndroidPoliceInfo"/> although a fix only began rolling out in a security patch<ref name="9to5Info"/> released on March 13, 2023.<ref>{{Cite web |url=https://9to5google.com/2023/03/13/android-13-qpr2-pixel-feature-drop/ |title=March Pixel Feature Drop with Android 13 QPR2 now rolling out |date=March 13, 2023 |last=Li |first=Abner |work=[[9to5Google]] |access-date=March 21, 2023}}</ref> Certain social media sites, including [[Twitter]], automatically truncate uploaded images, although others do not. One such site, [[Discord]], mitigated the vulnerability January 17, 2023.<ref name="TheVergeInfo"/> [[Cloudflare]] addressed the issue in [[JPEG]] files by checking the end-of-image marker in [[libjpeg-turbo]] for [[Rust (programming language)|Rust]] and in [[PNG]] files with lodepng.<ref>{{Cite web |url=https://blog.cloudflare.com/how-cloudflare-images-addressed-the-acropalypse-vulnerability/ |title=How Cloudflare Images addressed the aCropalypse vulnerability |date=July 10, 2023 |last=Skehin |first=Nicholas |publisher=[[Cloudflare]] |access-date=July 11, 2023}}</ref>


==Impact==
==Impact==
aCropalypse affects Google Pixel phones running Android 10, released in September 2019.<ref>{{Cite web |url=https://www.androidpolice.com/2019/09/03/android-10-is-rolling-out-to-pixels-starting-today/ |title=Android 10 is rolling out to Pixels starting today |date=September 3, 2019 |last=Hager |first=Ryne |work=Android Police |access-date=March 21, 2023}}</ref> Affected photos could include [[credit card number]]s and other private photos.<ref>{{Cite web |url=https://www.independent.co.uk/tech/google-pixel-crop-acropalypse-security-b2304504.html |title=Google 'acropalypse' lets users see hidden parts of images |date=March 20, 2023 |last=Cuthbertson |first=Anthony |work=[[The Independent]] |access-date=March 21, 2023}}</ref> By the time the vulnerability was disclosed, multiple devices, including the Pixel 3 and [[Pixel 3a|3a]], [[Pixel 4]], [[Pixel 5]], and [[Pixel 6]] and [[Pixel 6a|6a]], had not received the update, thus rendering them susceptible to the vulnerability.<ref>{{Cite web |url=https://www.engadget.com/google-pixel-vulnerability-allows-bad-actors-to-undo-markup-screenshot-edits-and-redactions-195322267.html |title=Google Pixel vulnerability allows bad actors to undo Markup screenshot edits and redactions |date=March 21, 2023 |last=Bonifacic |first=Igor |work=[[Engadget]] |access-date=March 21, 2023}}</ref>
aCropalypse affects Google Pixel phones running Android 10, released in September 2019.<ref>{{Cite web |url=https://www.androidpolice.com/2019/09/03/android-10-is-rolling-out-to-pixels-starting-today/ |title=Android 10 is rolling out to Pixels starting today |date=September 3, 2019 |last=Hager |first=Ryne |work=Android Police |access-date=March 21, 2023}}</ref> Affected photos could include [[credit card number]]s and other private photos.<ref>{{Cite web |url=https://www.independent.co.uk/tech/google-pixel-crop-acropalypse-security-b2304504.html |title=Google 'acropalypse' lets users see hidden parts of images |date=March 20, 2023 |last=Cuthbertson |first=Anthony |work=[[The Independent]] |access-date=March 21, 2023}}</ref> By the time the vulnerability was disclosed, multiple devices, including the Pixel 3 and [[Pixel 3a|3a]], [[Pixel 4]], [[Pixel 5]], and [[Pixel 6]] and [[Pixel 6a|6a]], had not received the update, thus rendering them vulnerable.<ref>{{Cite web |url=https://www.engadget.com/google-pixel-vulnerability-allows-bad-actors-to-undo-markup-screenshot-edits-and-redactions-195322267.html |title=Google Pixel vulnerability allows bad actors to undo Markup screenshot edits and redactions |date=March 21, 2023 |last=Bonifacic |first=Igor |work=[[Engadget]] |access-date=March 21, 2023}}</ref>


On March 21, software engineer Chris Blume noted that the [[Snipping Tool]] in [[Windows 11]] results in a file size equal to a cropped version of the same image.<ref>{{Cite web |url=https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/ |title=Windows 11 Snipping Tool privacy bug exposes cropped image content |date=March 21, 2023 |last=Abrams |first=Lawrence |work=[[Bleeping Computer]] |access-date=March 21, 2023}}</ref> Using this, Buchanan discovered that the Snipping Tool in Windows 11, as well as [[Windows 10]]'s [[Snip & Sketch]], were susceptible to the same exploit, although not the Win32 Snipping Tool in Windows 10.<ref>{{Cite web |url=https://www.theverge.com/2023/3/21/23650657/windows-snipping-tool-crop-screenshots-vulnerability |title=Oops, Windows' screenshot tool may be saving stuff you cropped out, too |date=March 21, 2023 |last=Clark |first=Mitchell |work=[[The Verge]] |access-date=March 21, 2023}}</ref>
On March 21, software engineer Chris Blume noted that the [[Snipping Tool]] in [[Windows 11]] results in a file size equal to a cropped version of the same image.<ref>{{Cite web |url=https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/ |title=Windows 11 Snipping Tool privacy bug exposes cropped image content |date=March 21, 2023 |last=Abrams |first=Lawrence |work=[[Bleeping Computer]] |access-date=March 21, 2023}}</ref> Using this, Buchanan discovered that the Snipping Tool in Windows 11, as well as [[Windows 10]]'s [[Snip & Sketch]], were susceptible to the same exploit, although not the Win32 Snipping Tool in Windows 10.<ref>{{Cite web |url=https://www.theverge.com/2023/3/21/23650657/windows-snipping-tool-crop-screenshots-vulnerability |title=Oops, Windows' screenshot tool may be saving stuff you cropped out, too |date=March 21, 2023 |last=Clark |first=Mitchell |work=[[The Verge]] |access-date=March 21, 2023}}</ref>

Latest revision as of 05:28, 9 May 2024

aCropalypse
CVE identifier(s)CVE-2023-21036
Date discoveredJanuary 2, 2023; 23 months ago (2023-01-02)
Date patchedJanuary 24, 2023; 23 months ago (2023-01-24)
DiscovererSimon Aarons and David Buchanan
Affected softwareMarkup, Snip & Sketch for Windows 10, and Snipping Tool for Windows 11

aCropalypse (CVE-2023-21036) was a vulnerability in Markup, a screenshot editing tool introduced in Google Pixel phones with the release of Android Pie. The vulnerability, discovered in 2023 by security researchers Simon Aarons and David Buchanan, allows an attacker to view an uncropped and unaltered version of a screenshot. Following aCropalypse's discovery, a similar zero-day[1] vulnerability was also discovered, affecting Snip & Sketch for Windows 10 and Snipping Tool for Windows 11.

Background

[edit]

In 2018, Android Pie—the ninth major release of Android—was released. With the release of Android Pie, Google Pixel phones beginning with the Pixel 3 received a new screenshot editor known as Markup. The editor allows a user to crop screenshots and alter them using on-screen elements, such as a pen and highlighter.[2] Users can then save these screenshots to Google Photos or save them locally on their device.[3]

Discovery and usage

[edit]

aCropalypse was discovered by Simon Aarons and David Buchanan, two security researchers.[4] It had previously been submitted to Google's issue tracker by Lucy Phipps on August 11, 2022.[5] Aarons reportedly discovered the bug when he noticed that the file size for a screenshot he took of white text on a black background was abnormally large.[6] A website was created where users can submit cropped or altered images to reveal the original.[7]

Behavior

[edit]

aCropalypse exploits a vulnerability within Markup. Upon saving a cropped screenshot in Markup, the altered image is saved in the same location as the original image.[8] The image is created using the ParcelFileDescriptor.open() function; the function is called using the "w" argument to ParcelFileDescriptor.parseMode(), representing "write", when "wt" should have been passed instead, truncating the original image.[9] Although the image is not created using ParcelFileDescriptor.parseMode(), but rather ParcelFileDescriptor.open(), the former converts an argument into a bitmask for the latter.[10] In similar functions, such as the C function fopen, using the "w" argument will automatically truncate the file to zero length.[11] The use of "w" was implemented in Android 10 as an undocumented[12] change.[4]

Markup uses zlib, a compression library that utilizes deflate compression, itself based on the lossless data compression algorithms LZ77 and LZ78, where each bit of data references the last, and dynamic Huffman coding, where a Huffman tree is defined at the start of the block. The Huffman tree in Markup screenshots are respecified every 16 kilobytes. The initial exploit for aCropalypse precomputed a list of 8 bytestrings and passed them to zlib, in order to start from a specific bit offset. Additionally, the initial exploit prefixed the image stream with 32 KB of the ASCII character "X".[9]

Mitigation

[edit]

An internal patch for aCropalypse was finalized on January 24, 2023,[4] although a fix only began rolling out in a security patch[8] released on March 13, 2023.[13] Certain social media sites, including Twitter, automatically truncate uploaded images, although others do not. One such site, Discord, mitigated the vulnerability January 17, 2023.[7] Cloudflare addressed the issue in JPEG files by checking the end-of-image marker in libjpeg-turbo for Rust and in PNG files with lodepng.[14]

Impact

[edit]

aCropalypse affects Google Pixel phones running Android 10, released in September 2019.[15] Affected photos could include credit card numbers and other private photos.[16] By the time the vulnerability was disclosed, multiple devices, including the Pixel 3 and 3a, Pixel 4, Pixel 5, and Pixel 6 and 6a, had not received the update, thus rendering them vulnerable.[17]

On March 21, software engineer Chris Blume noted that the Snipping Tool in Windows 11 results in a file size equal to a cropped version of the same image.[18] Using this, Buchanan discovered that the Snipping Tool in Windows 11, as well as Windows 10's Snip & Sketch, were susceptible to the same exploit, although not the Win32 Snipping Tool in Windows 10.[19]

References

[edit]
  1. ^ Cunningham, Andrew (March 22, 2023). ""Acropalypse" Android screenshot bug turns into a 0-day Windows vulnerability vulnerability". Ars Technica. Retrieved March 23, 2023.
  2. ^ Gao, Richard (March 7, 2018). "Android P feature spotlight: Screenshot editing is now native with 'Markup'". Android Police. Retrieved March 21, 2023.
  3. ^ Maring, Joe (August 8, 2018). "How to take screenshots in Android Pie". Android Central. Retrieved March 21, 2023.
  4. ^ a b c Wang, Jules (March 18, 2023). "Severe exploit could expose sensitive data on Pixel screenshots previously cropped". Android Police. Retrieved March 21, 2023.
  5. ^ "builtin screenshot cropping tool writes junk data". August 11, 2022. Retrieved March 29, 2023.
  6. ^ Hay Newman, Lily (March 22, 2023). "Some Photo-Cropping Apps Are Exposing Your Secrets". Wired. Retrieved March 22, 2023.
  7. ^ a b Roth, Emma (March 19, 2023). "Google Pixel exploit reverses edited parts of screenshots". The Verge. Retrieved March 21, 2023.
  8. ^ a b Li, Abner (March 18, 2023). "Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update". 9to5Google. Retrieved March 21, 2023.
  9. ^ a b Buchanan, David (March 18, 2023). "Exploiting aCropalypse: Recovering Truncated PNGs". Retrieved March 21, 2023.
  10. ^ Vigliarolo, Brandon (March 20, 2023). "Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered". The Register. Retrieved March 21, 2023.
  11. ^ "fopen(3)". Linux manual. March 22, 2021. Retrieved March 21, 2023.
  12. ^ Amadeo, Ron (March 20, 2023). "Google Pixel bug lets you "uncrop" the last four years of screenshots". Ars Technica. Retrieved March 21, 2023.
  13. ^ Li, Abner (March 13, 2023). "March Pixel Feature Drop with Android 13 QPR2 now rolling out". 9to5Google. Retrieved March 21, 2023.
  14. ^ Skehin, Nicholas (July 10, 2023). "How Cloudflare Images addressed the aCropalypse vulnerability". Cloudflare. Retrieved July 11, 2023.
  15. ^ Hager, Ryne (September 3, 2019). "Android 10 is rolling out to Pixels starting today". Android Police. Retrieved March 21, 2023.
  16. ^ Cuthbertson, Anthony (March 20, 2023). "Google 'acropalypse' lets users see hidden parts of images". The Independent. Retrieved March 21, 2023.
  17. ^ Bonifacic, Igor (March 21, 2023). "Google Pixel vulnerability allows bad actors to undo Markup screenshot edits and redactions". Engadget. Retrieved March 21, 2023.
  18. ^ Abrams, Lawrence (March 21, 2023). "Windows 11 Snipping Tool privacy bug exposes cropped image content". Bleeping Computer. Retrieved March 21, 2023.
  19. ^ Clark, Mitchell (March 21, 2023). "Oops, Windows' screenshot tool may be saving stuff you cropped out, too". The Verge. Retrieved March 21, 2023.