A security flaw affecting Google Pixel’s default screenshot editing utility, Markup, allows images to become partially ‘unedited’, potentially revealing personal information users have chosen to hide, as spotted previously by 9to5Google And android font. The vulnerability, which was discovered by reverse engineers Simon Aarons and David Buchanan, have since been fixed by Google, but still have extensive implications for edited screenshots shared before the update.
As detailed in a thread Aarons posted on Twitter, the aptly named “aCropalypse” flaw allows someone to partially recover PNG screenshots edited in Markup. This includes scenarios where someone may have used the tool to crop or scribble their name, address, credit card number, or any other type of personal information the screenshot may contain. A malicious actor could exploit this vulnerability to reverse some of these changes and obtain information that users thought they had hidden.
In an upcoming FAQ page obtained early by 9to5Google, Aarons and Buchanan explain that this flaw exists because Markup saves the original screenshot in the same file location as the modified one and never deletes the original version. If the modified version of the screenshot is smaller than the original, “the final part of the original file is left after the end of the new file”.
According in Buchanan, this bug first appeared about five years ago, around the same time that Google introduced Markup with the Android 9 Pie update. This is what makes the situation worse, as years of old screenshots edited with Markup and shared on social media platforms could be vulnerable to the exploit.
The FAQ page indicates that while some sites, including Twitter, reprocess images posted on the platforms and rid them of the flaw, others, such as Discord, do not. Discord only just patched the exploit in a recent January 17 update, which means edited images shared on the platform before then may be at risk. It’s still unclear if there are other affected sites or apps, and if so, which ones.
The example posted by Aarons (embedded above) shows a cropped image of a credit card posted on Discord, with the card number also blocked using the markup tool’s black pen. Once Aarons uploads the image and exploits the aCropalypse vulnerability, the top portion of the image is corrupted, but he can still see the items that were changed in Markup, including the credit card number. You can read more about the technical details of the flaw in Buchanan’s blog post.
After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company fixed the issue in a March security update for the Pixel 4A, 5A, 7, and 7 Pro with its severity classified as “high”. It’s unclear when this update will arrive for the other devices affected by the vulnerability, and Google did not immediately respond. The edgefor more information. If you want to see how the issue works for yourself, you can upload an edited screenshot with an unupdated version of the markup tool on this demo page created by Aarons and Buchanan. Or, you can check out some of the frightening examples posted on the web.
The flaw emerged just days after Google’s security team discovered that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and some Galaxy S22 and A53 models could allow hackers to “remotely compromise” the devices. using only the victim’s phone number. Google has since fixed the issue in its March update, although it’s still not available for Pixel 6, 6 Pro and 6A devices.