back to article Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered

If you've owned a Google Pixel smartphone since the 3 series came out in 2018, bad news: any screenshot that you've cropped or redacted on your Pixel can be potentially restored without much fuss. Reverse engineers Simon Aarons and David Buchanan, who found the bug and produced a proof-of-concept recovery tool, respectively, …

  1. Snake Silver badge

    Really??

    a silent change from Android 9 to Android 10 in which the OS-provided Java function parseMode() now requires the argument "wt" when an app wishes to overwrite and truncate a file to a shorter length, not just "w".

    You changed the operation parameters of an existing operator, one with a long legacy, and thought this was OK??! You should have put -t as a new option for NOT truncating, not change a known pattern of operation and then make a mandatory (-wt) to-use switch to get it back to the way it was for over a decade.

    :shakes head: And you thought Google programmers were intelligent. I guess this proves that wrong.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Really??

      Not quite. It seems that the change was an unintentional bug, caused by aome code refactoring.

      https://issuetracker.google.com/issues/180526528?pli=1

    3. Anonymous Coward
      Anonymous Coward

      Re: Really??

      Hear hear.

      Can anyone think of a use for overwriting a file WITHOUT truncating? I could sorta kinda see the option for allowing non-truncating by specifying an additional flag, but when would you ever want to?

      1. Robert Carnegie Silver badge

        Re: Really??

        Overwriting part of the data in a file isn't unusual. For instance a database:

        John

        Paul

        Geogre

        Ringo

        The third row of data is incorrect, and it would be reasonable to overwrite "Geogre" with "George", without removing Ringo from the file obviously.

        1. Steve Aubrey
          Headmaster

          Re: Really??

          But whatever includes the name is atomic. The *list* of names is not atomic.

          The PNG from the original problem is atomic.

  2. James O'Shea Silver badge

    Hmmm

    I don't have this problem because:

    1. I have an iPhone, not an Android

    2. even if Apple is sufficiently stupid as to have a similar bug, I upload all (repeat, ALL) photos to one of my computers (Apple, Windows, Ubuntu, usually a Mac 'cause it's easiest) and DELETE THEM FROM THE BLOODY PHONE. All image manipulation is done on a desktop machine. I might, if I feel like it, stick any photos I want on the phone into something like Apple's Photos, which cloudifies stuff; I don't usually use Photos, in large part because I don't bloody trust cloudy crap. (Yes, the photos are automagically dropped into Photos ninth first place. Yes, I nuke 'em good from Photos. If the photos ain't on the bloody phone, or in the bloody cloud, they can't be bloody hacked.) At the current time I have exactly 15 photos on my two iPhones. Three of them are images used as wallpaper for the phones and an iPad, I didn't like the wallpaper which shipped with the iDevices.

    3. if I had an Android I still wouldn't have this problem, see 2. above. I used to have an Android, a Very Long Time Ago. When I did have the Android, I'd feed photos (I didn't have many, the Android was shitty, had a bad camera and not much space and I didn't have it for long anyway) to Windows machines, work there, and delete from the phone. Mostly to conserve space, that thing was really short on storage.

    Can someone explain to me why people keep lots of photos on phones and even do image manipulation there?

    1. Sandtitz Silver badge

      Re: Hmmm

      "Can someone explain to me why people keep lots of photos on phones and even do image manipulation there?"

      Some people don't have a computer.

      Some people may find the manipulation tools on the phone good enough.

      1. Orv Silver badge

        Re: Hmmm

        I have extensive tools on my computer for manipulating images, but the tools on the phone are often plenty good. Especially on my iPhone, where I can take a screen shot, crop it, annotate it, and send it to someone without having to go through the extra step of sending it to my computer.

        While I'm at it I'll also note that transferring a photo from Android to a Windows machine is needlessly clumsy because they have no equivalent to Apple's Airdrop functionality.

        1. that one in the corner Silver badge

          Re: Hmmm

          > transferring a photo from Android to a Windows machine is needlessly clumsy because they have no equivalent to Apple's Airdrop functionality.

          From Android to PC I normally just use the boring old "copy a file"[1] across USB (is a simple cable "needlessly clumsy" nowadays?) or, when I'm all the way downstairs from the PC, save it from Android to an SMB share.

          [1] Usually just Windows Explorer, other options are available

          1. FrogsAndChips Silver badge

            Re: Hmmm

            I also do USB transfers from Android to PC, but I wish there were an easier, out-of-the-box way of doing it, instead of:

            - plug the cable

            - select 'USB transfer' on the phone

            - open File Explorer

            - navigate to the Pictures folder: now, is it on the internal memory or the SD card? In folder Android or DCIM? Camera or 100ANDRO?

            - wait for all the photos to load, starting from the oldest ones when you're only interested in the 1-2 you've just taken

            - copy to destination folder, hurray!

            I'm sure there are tools that make it much easier, but I shouldn't need to install one for such a basic operation.

          2. tiggity Silver badge

            Re: Hmmm

            I just email myself the pic & then can access it on "proper" computer - simple enough.

            Or if at home can just use local network NAS (USB storage device hanging off the router acts as temporary local network file share system for copying larger volumes of data than email would manage)

        2. IGotOut Silver badge

          Re: Hmmm

          "While I'm at it I'll also note that transferring a photo from Android to a Windows machine is needlessly clumsy because they have no equivalent to Apple's Airdrop functionality."

          No they have no equivalent to a closed property system, instead, the use multiple platform standards.

          Bluetooth

          WiFi direct

          USB

          Remind me how you airdrop to a Windows PC?

          1. Orv Silver badge

            Re: Hmmm

            You don't, that's kind of the point. All you can do is plug in a cable and then browse for the file. Assuming everything trusts everything else and Windows decides the phase of the moon is correct for it to assign a functional drive letter.

    2. DS999 Silver badge

      You don't understand the issue at all

      and DELETE THEM FROM THE BLOODY PHONE

      Pretty sure the issue people are concerned about isn't having such cropped but not cropped photos on their phone, but that they've shared them via email or posting on social media or the web. Let's say your wife or girlfriend took an R rated selfie to send to you, then cropped the naughty bits and posted to Facebook. Ooops! Or maybe she likes posting to some of the more risque reddits, cropping her face out of the photo to prevent embarrassment or trouble from her employer (i.e. if she's a teacher or something)

      I would guess someone is already working on something that trawls Google's massive image database looking for such photos that have been uploaded to the web and creating an uncropped database. A lot of people are going to be very upset by this.

      I wonder if Pixel is the one one affected here. The iPhone's photo app includes a simple crop tool, and I could swear I was once able to undo a crop I had perviously done. Whether that's due to the information being saved in the photo (and survive if it was uploaded) or a separate ".orig" copy retained in the photo roll I don't know.

      It sounds like maybe this only affects screenshots which may prevent it from being that big of an issue, but I wonder if other stuff is using that API call...

      1. James O'Shea Silver badge

        Re: You don't understand the issue at all

        "Pretty sure the issue people are concerned about isn't having such cropped but not cropped photos on their phone, but that they've shared them via email or posting on social media or the web."

        1. Don't do that.

        2. If you must do that, do the image manipulation on a platform with reliable tools, such as a desktop and send only the manipulated images.

        3. Don't do that.

        "Let's say your wife or girlfriend took an R rated selfie to send to you, then cropped the naughty bits and posted to Facebook. Ooops! Or maybe she likes posting to some of the more risque reddits, cropping her face out of the photo to prevent embarrassment or trouble from her employer (i.e. if she's a teacher or something)"

        1. Don't post pix to Facebook. It never ends well.

        2. Don't post pix to Reddit. That never ends well either.

        3. If an unedited pic might cause problems, DON'T BLOODY POST IT IN THE FIRST PLACE. It's not hard.

        Just as I don't understand why anyone would screw with an image using tools on a phone, I don't understand why anyone would email pix that might cause problems, or, worse, post them to Arsebook or any other 'social media'. There have been so many stories over so many years about how badly this can go that only complete idiots would do it... and I think of this as being evolution in action. You post something which, if your employer finds out about it, might get you fired? Welcome to the ranks of the unemployed, laddie/lassie, and it'll be all your bloody fault. I have zero sympathy.

        1. A. Coatsworth Silver badge
          Angel

          Re: You don't understand the issue at all

          Thank you, Oh lord of the Only Valid Use Case for Any Technology Ever!

          By your word of wisdom nobody shall ever have problems in internet again, for anyone deviating from the doctrine shall join the ranks of the unemployed and have zero sympathy.

          If only the flocks of sheeple know not to use anything not approved by Thee!

          1. James O'Shea Silver badge

            Re: You don't understand the issue at all

            do what you like. Take the consequences.

        2. FrogsAndChips Silver badge

          Re: You don't understand the issue at all

          Just as I don't understand why [...], I don't understand why [...]

          Yeah, I think we get the idea.

    3. FrogsAndChips Silver badge

      Re: Hmmm

      "Can someone explain to me why people keep lots of photos on phones"

      Let me guess, so that they can look at them whenever they bloody want to?

  3. Simian Surprise

    Huh, I always thought I was being paranoid by cropping a screenshot and then taking a screenshot of *that*, but I was always just a bit suspicious.

    Guess I was right this time! Sadly...

  4. Steve Graham

    The bug is in the image manipulation software, not the phone. I point this out because my phone is, in fact, a Google Pixel, but it runs the extensively de-googlified microG version of Android, and has no Google image-editing tools.

    1. Updraft102

      Surely no person would be so foolish, in this day and age, to run any Google-branded anything... would they?

      1. Anonymous Coward
        Anonymous Coward

        re: Google branded anything

        Here in the UK, Google are using a series of TV ads where 'supposed Pixel owners' rave about not only their phones but the entire Google infrastructure.

        Personally, I think that they are rather sad people. Who in their right mind would entrust their entire digital life to a company like Google?

        While I have an iPhone and MacBook, I don't rely on the Apple environment for everything. LibreOffice does all my word processing. Lightroom does my photo manipulation, Waterfox is my default web browser and Thunderbird my email client. On the phone, I don't do email or social media.... It is a frigging phone in my use case with a camera for occasional use.

        I know that we are all different but to me, it just makes sense not to put all your eggs in one basket. Much like your banking. Don't have everything with one bank. Limit your exposure. It makes sense.

    2. that one in the corner Silver badge

      The OS is the problem, not the image editor app

      > The bug is in the image manipulation software

      NO! From the article:

      >> OS-provided Java function parseMode() ...

      The change is in the OS, *not* the image manipulation software, and the same issue will arise if you have Android 10+ and *any* software from *any* source that hasn't been given a patch for this egregious OS breakage.

  5. that one in the corner Silver badge

    What about all the other affected apps and data formats?

    All very clever pulling data out of the end of a PNG file, but this broken OS change is going to affect *EVERY* similar file overwrite if the new data happens to be shorter than the old.

    Including that terribly-difficult-to-interpret format, "plain text".

    Now, with plain text, the problem will be immediately apparent as soon as you re-open the file and spot the stuff on the end. Assuming that you *do* reopen it before sending it on with that unflattering note about the big boss still on the end - after all, how often does a text file just get shorter except when you're trying to delete those incriminating bits?

    Although, if the shorter piece of plain text has an EOF character and the display stops at that point...

    There are plenty more formats than just PNG that have an effective "end of useful data" marker (whether that is a chunk length or an EOF mark or...) where the excess won't be noticed by a well-behaved program but can still be found using that Evil Hacker's Tool, the "display hex" option in any decent editor.

  6. heyrick Silver badge

    FFS

    Anybody with even half a functioning braincell knows that you don't arbitrarily change the meaning of existing flags that are likely already being used may be used by (a lot of?) programs.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: FFS

      It seems that the change was an unintentional bug, caused by some code refactoring.

      https://issuetracker.google.com/issues/180526528?pli=1

  7. Anonymous Coward
    Anonymous Coward

    Damn! The NKVD is going to see Lev Davidovich sitting to my left nursing a water.

  8. Anonymous Coward
    Anonymous Coward

    Also ...

    On the subject of image cropping - I don't recall elReg covering this, but there is a similar concern with respect to cropping of images within Google Docs and MS Office. Not a bug, but it is worth knowing that when an image is cropped by the application itself, it isn't physically cropped but, rather, the visible portion is adjusted. The original image remains and can be restored.

    Not being a user of either, I can't vouch for that, but I have tested with LibreOffice Writer, and found that it behaves the same way.

    1. that one in the corner Silver badge

      Re: Also ...

      If you drop an image into a wordprocessor doc, and then resize in the page, adjusting the crop, moving it around on the page, *surely* everyone realises that the original image is still there in its entirety? Because you can just click on the image again and re-position, re-size and re-crop it! How else is that going to work?[1]

      The same goes for any other data where you can go back and edit the view: drop in a copy of a spreadsheet and only show a 4x5 set of cells, them go back the next day and decide you wanted to show a 4x6 set? If you can do that[3] then you *have* to realise that the rest of the entire spreadsheet has been copied in, including the column showing your monthly kickbacks!

      Please don't tell me[2] that there are people who can't figure this out.

      [1] to prevent this you'd need a UI to tell the WP that this is the final, uneditable, form of the image - whilst leaving the rest of the document on its editable form - and I've not yet heard of such a UI item (but please correct me if I've missed an option somewhere)

      [2] I'm sure that there are plenty of people who can't figure out that if *they* can resize the image and un-crop it back to its original form, so can anyone else who gets a copy of the document; I just don't want to be told about it - la la la, can't hear you, let me believe people are capable of reasoned thought.

      [3] "if" - that is something that the current crop of WP can do, isn't it? If not, there's a data leak or two averted, at least.

  9. Madf1ier

    Accidental save?

    Given that many such images are shared by WhatsApp, and WhatsApp annoyingly recompresses all images, I wonder if it is accidentally responsible for sanitising this problem?

    I can't reproduce it on cropped screenshots previously received over WhatsApp.

    1. Robert Carnegie Silver badge

      Re: Accidental save?

      It is likely - but check. As I read it, the not-deleted data is not a valid part of the PNG file format. It is like this:

      Here is an example of a longer sentence.

      Here is a shorter sentence.ger sentence.

      When you open a PNG file normally, it reads data until the full stop i.e. "Here is a shorter sentence." (This is a metaphor, and also I don't know for sure.) But the other data is still in the file, and it's technically possible to decode it. However, a normal PNG file viewer will ignore the extra data. I think. And if you save, or compress the file, not on Android 10 and 11, then the new saved file will end at the first full stop.

  10. Anonymous Coward
    Anonymous Coward

    Privacy Day Dream in 2023 -- Scott McNealy in 1999...........

    Quote: "......privacy fail....."

    Where have you been living for the last umpty-ump years:

    - Equifax

    - Solar Winds

    - Cisco backdoors

    - Huewei allegations

    - Snowden allegations

    .......and so on..........

    Here's a link from 1999........................yup 1999:

    - Link: https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    Yup...."Get Over It".............................

    1. Scott 26

      Re: Privacy Day Dream in 2023 -- Scott McNealy in 1999...........

      > Here's a link from 1999........................yup 1999:

      > - Link: https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

      > Yup...."Get Over It".............................

      wow.

      Imagine a CEO saying that today.

      Wonder how he fared after that....

      " On April 24, 2006, McNealy stepped down as CEO"...ok, he survived another few good years. Then what?

      "In 2010, the same year Oracle Corporation purchased Sun, McNealy co-founded the social media intelligence company Wayin. [snip] Their product is an application store for brands to self-publish interactive advertising campaigns using reusable digital assets, removing the bulk of cost involved in delivering multi-channel digital advertising."

      ahhhhhhhh....... makes sense now.

  11. Anonymous Coward
    Anonymous Coward

    Wonderful

    Wonderful that everyone thinks this was a mistake. Gov acronym depts however, are disappointed it was outed.

  12. Tron Silver badge

    Worrying about privacy and using a Pixel? Does not compute.

    We've known since the year dot that deleting a file doesn't really delete it, so maybe this is no surprise. Didn't the same thing happen with alterations to Word files, way back when.

    Anyway, Pixels don't have a memory card slot, so you can't keep your data separate from your device. If it fails and you want it fixed, you have to send it to a third party with your data on it. So anyone who cares about their privacy wouldn't be using a Pixel anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like