/plushcap/analysis/cloudflare/how-cloudflare-images-addressed-the-acropalypse-vulnerability

How Cloudflare Images addressed the aCropalypse vulnerability

What's this blog post about?

Cloudflare has resolved the "aCropalypse" vulnerability affecting its Image Resizing and Cloudflare Images products by introducing a fix that does not require changes to original images or cause increased latency for customers. The issue, which affects cropped JPEG and PNG files, allows third parties to recover sensitive data from an image even after it has been visually censored or cropped out. To address this vulnerability, Cloudflare implemented a solution that involves parsing the file structure of images to detect if there is any data left beyond the end-of-image marker. This was done by using Rust wrappers for libjpeg-turbo and lodepng libraries for decoding JPEGs and PNGs, respectively. The fix ensures that no sensitive information remains in cropped or modified images processed through Cloudflare's Image Resizing and Cloudflare Images products. This update demonstrates Cloudflare's commitment to maintaining the security of its services and protecting customers from potential vulnerabilities.

Company
Cloudflare

Date published
July 10, 2023

Author(s)
Nicholas Skehin

Word count
1259

Language
English

Hacker News points
59


By Matt Makai. 2021-2024.