A security flaw affecting the Google Pixel’s default screenshot-editing utility, Markup, allows images to be left partially “unedited,” which could reveal personal information users chose to hide, such as seen before by 9to5Google and android police. vulnerability, which was discovered by reverse engineering Simon Aarons and David Buchanan has since been patched by Google, but it still has widespread implications for edited screenshots shared before the update.
As detailed in a thread Aarons posted on Twitter, the aptly named “aCropalypse” flaw makes it possible for someone to partially recover edited PNG screenshots in Markup. That includes scenarios where someone may have used the tool to crop or write your name, address, credit card number, or any other type of personal information the screenshot may contain. A bad actor could exploit this vulnerability to reverse some of those changes and obtain information that users thought they had been hiding.
in a near FAQ page obtained early by 9to5Google, Aarons, and Buchanan explain that this flaw exists because Markup saves the original screenshot in the same file location as the edited screenshot and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the end of the original file is left behind, after the new file is supposed to have finished.”
According to Buchanan, this bug first appeared about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. That’s what makes matters worse, since old screenshots edited with Markup and shared on social media platforms could be vulnerable to the exploit.
The FAQ page states that while certain sites, including Twitter, re-render images posted to the platforms and remove the glitch, others, like Discord, do not. Discord just patched the exploit in a recent update on January 17, which means edited images shared on the platform before then may be at risk. It’s not yet clear if there are any other sites or apps affected, and if so, what they are.
The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, which also has the card number blocked with the Markup tool’s black pen. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top portion of the image becomes corrupted, but you can still see the parts that were edited in Markup, including the credit card number. You can read more about the technical details of the failure at Buchanan’s blog post.
After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company fixed the issue in March. security update for Pixel 4A, 5A, 7, and 7 Pro with its severity rated “high.” It’s unclear when this update will arrive for the other devices affected by the vulnerability, and Google did not immediately respond. the edgeRequest for more information. If you’d like to see how the issue works for yourself, you can upload a screenshot edited with an outdated version of the Markup tool. to this demo page created by Aarons and Buchanan. Or, you can check out some of the scary examples published on the web.
This flaw came to light just days after Google’s security team discovered that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and select Galaxy S22 and A53 models could allow hackers to “remotely compromise” devices using only the victim’s phone number. Google has since fixed the issue in its March update, though it’s still not available for Pixel 6, 6 Pro, and 6A devices.
