When Google started rolling out Android , the company addressed a “High” severity vulnerability related to the Pixel Markup screenshot tool. Weekend, and Reverse engineers who discovered CVE-2023-21036, shared more information about the security flaw, revealing that Pixel users are still at risk of having their older images compromised due to the nature of Google’s monitoring.
In short, the “aCropalypse” flaw allowed someone to take a cropped PNG screenshot in Markup and undo at least some of the edits to the image. It’s easy to imagine scenarios in which a bad actor could abuse that ability. For example, if a Pixel owner used Markup to redact an image that included sensitive information about himself, someone could exploit the flaw to reveal that information. You can find technical details at .
Introducing acropalypse: a serious privacy vulnerability in Google Pixel’s built-in screenshot editing tool, Markup, that allows partial recovery of the original, raw image data from a cropped or redacted screenshot. many thanks to @David3141593 for your help in everything! pic.twitter.com/BXNQomnHbr
—Simon Aarons (@ItsSimonTime) March 17, 2023
According to Buchanan, the flaw has been around for about five years, coinciding with the release of Markup along with . And therein lies the problem. While the March security patch will prevent Markup from compromising future images, some screenshots that Pixel users may have shared in the past are still at risk.
It’s hard to say how worried Pixel users should be about the flaw. According to a close Aarons and Buchanan shared with and , some websites, including Twitter, process images in such a way that no one could exploit the vulnerability to reverse editing of a screenshot or image. Users of other platforms are not so lucky. Aarons and Buchanan specifically identify Discord, noting that the chat app didn’t fix the exploit until its recent update on January 17. At the moment, it is not clear if images shared on other social networks and chat applications were left equally vulnerable.
Google did not immediately respond to Engadget’s request for comment and more information. The March security update is currently available on the Pixel 4a, 5a, 7, and 7 Pro, which means Markup may still produce vulnerable images on some Pixel devices. It’s unclear when Google will push the patch to other Pixel devices. If you have an unpatched Pixel phone, avoid using Markup for sharing sensitive images.
