A security flaw affecting the Google Pixel’s default screenshot-editing tool, Markup, allows images to become partially “raw”, potentially revealing personal information users have hidden, such as previously noted by 9to5Google And android police. The vulnerability, that was discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google, but still has widespread implications for the edited screenshots shared prior to the update.
As described in a thread Aaarons posted on Twitter, the aptly named “aCropalypse” error allows someone to partially restore PNG screenshots edited in Markup. That includes scenarios where someone may have used the tool to crop or scribble their name, address, credit card number, or other personal information contained in the screenshot. An attacker could exploit this vulnerability to revert some of those changes and obtain information that users thought they had hidden.
In an upcoming FAQ page obtained early 9to5Google, Aarons and Buchanan explain that this error exists because Markup saves the original screenshot in the same file location as the edited one and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the last part of the original file will be left after the new file would have ended.”
According to to Buchanan, this bug first appeared about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. That’s what makes this all the worse, as older screenshots from years edited with Markup and shared on social media platforms could be vulnerable to the exploit.
The FAQ page states that while certain sites, including Twitter, reprocess the images posted to the platforms and remove the error, others, such as Discord, do not. Discord only just patched the exploit in a recent Jan. 17 update, meaning edited images shared on the platform before that date may be at risk. It’s still not clear if there are other affected sites or apps, and if so, which ones.
The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, with the card number also blocked using the Markup tool’s black pen. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top part of the image becomes corrupted, but he can still see the parts that were removed in Markup, including the credit card number. You can read more about the technical details of the error in Buchanan’s blog post.
After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company patched the issue in March security update for the Pixel 4A, 5A, 7, and 7 Pro with the severity rated as ‘high’. It’s unclear when this update will be available for the other devices affected by the vulnerability, and Google hasn’t immediately commented The edgerequest for more information. If you want to see how the problem works for yourself, you can upload a screenshot edited with an unupdated version of the Markup tool to this demo page created by Aarons and Buchanan. Or you can check out some of the scary examples posted on the internet.
This flaw came to light just days after Google’s security team discovered that the Samsung Exynos modems in the Pixel 6, Pixel 7, and certain Galaxy S22 and A53 models could allow hackers to compromise devices remotely using only a victim’s phone number. Google has since patched the issue in its March update, although it’s still not available for the Pixel 6, 6 Pro, and 6A devices.