The history of thumbnails (or just a previous thumbnail) is embedded in an image file?

Question

I was surprised when I cropped an image on Windows Phone, saved it, sent it via e-mail to a PC, and then downloaded it - and the thumbnail in the download folder was the one of original, not cropped image for a few seconds until finally it would refresh to the expected one.

Maybe I just don't know something obvious, but because I couldn't find any information on image file thumbnail history, jpg old thumbnail stored in file and similar searches, I think that while it may be a known functionality of some image formats, then surely not known widely enough by users. An unaware user might make a photo with private data, crop the private data out and send it to someone, and this private data can not only be possibly acquired from a thumbnail by the intended receiver, but the image may be traveling from hands to hands - there might be millions of images over the Internet which contain private information in old thumbnails.

Here's some examples:

• A photo of an identity card can be watermarked for a specific company with a company's name and a date, e.g. Quizzacious Systems 2016/03/05, to confirm an identity of a player which forgot a password; if a support employee has evil intentions, he can take a previous thumbnail of the image, which has no watermark, and use it to confirm his identity as this person - thumbnails in extra large size actually have a comparable resolution with cheap cellphones and may be accepted as a proof of an identity at least by some companies.
• A photo of an identity card or anything else with some information censored out by black rectangles - everyone with minimum knowledge knows, that a black rectangle in some formats is not just another layer of data, but removes the original data behind it; at least that's what I thought before discovering this vulnerability. It seems, however, that you can take a censored image and read censored data from it's old thumbnail - the resolution might be too low for a scan of a sheet of paper, but it can be enough for something of a size of an ID.
• A photographic proof may be tested for authenticity by checking an old thumbnail and what was cropped out.
• A photo with nakedness can be censored or cropped and then get popular over the Internet.

So what I'm missing here? It seems a serious security vulnerability, something at least a common user should be well aware of, and yet I wasn't. Microsoft answered on my e-mail:

this is not a valid vulnerability as this is by design. This functionality is also inline with cropping in Office.

However I was aware of that in case of MS Office (still many users might not be), and if you print the document to either paper or PDF the cropped data is lost; you can also use the "compress" feature and remove cropped parts of an image there. How to you deal with JPG files, though?

1. Is there a tool to read old thumbnails of images?
2. How to remove data from an image permanently?
3. Is it just a single previous thumbnail or all previous thumbnails that are stored?
4. Does it affect only thumbnails, or - as MS suggests - it works like in Office and whole original photo is stored in a file?
5. Where can I read more about this issue/feature?

Answer 1

Jpeg files can contain Exif data, which can include a thumbnail. Theoretically, it seems it would be possible to store more than one, but I don't know of any program that does it, nor of a program that would read it.

What is likely to have happened in your case is that the program you used to crop the image modified only the main image, without modifying the embedded thumbnail.

exiftool can be used to read or replace Exif data, including the thumbnail. As show in the documentation, exiftool -b -ThumbnailImage image.jpg > thumbnail.jpg can be used to extract the thumbnail from a jpeg, exiftool '-ThumbnailImage<=thumb.jpg' dst.jpg to replace it. If you want to completely remove the embedded thumbnail, you could use exiftool -ThumbnailImage= dst.jpg.

Note that exif data can contain much more than a thumbnail, as exiftool -a -u -g1 a.jpg will show you.

Answer 2

Some JPEG images do contain thumbnails of original unedited pictures. E.g. images before cropping, rotating, and retouching.

Embedded thumbnails are almost always attached by modern mobile phones and digital cameras. Recent cameras produce thumbnails of consistent quality. But older cameras used to add black stripes to max-out the image aspect ratio, or were of lower resolution.

Some thumbnails are of relatively high resolution (e.g. 512×384 pixels), and seem to be limited by the exif max size of 64k. Same camera may produce different resolution thumbnails for different images to fit the limit.

In rare cases thumbnails completely mismatch the image content, e.g. originating from a different image.

An online program to read JPEG thumbnails I wrote will help quickly visualize them (desktop only). A small number of images for which thumbnails are present, may not show up, for algorithm limitations.

Answer 3

No

Generally, thumbnails are stored outside the image files - they're not a feature of the image but of the system that allows you to browse the system - the picture viewer of your phone, some image gallery app, as a feature of your OS file browser/explorer/finder.

There is no direct vulnerability when uploading individual images, as the data is not embedded in the images - it is stored either in a centralized place by the app that's showing (and generating, and storing) the thumbnails or in a hidden file in your image folder. However, there may be some risks if you upload e.g. a zipped folder of images that could also include all that metadata.