A security flaw affecting Google Pixel’s default screenshot editing utility, Markup, allows images to become partially “unedited,” potentially revealing personal information users have chosen to hide, as previously spotted by 9to5Google and Android Police. The vulnerability that was discovered by reverse engineering Simon Arrons and David Buchanan, has since been fixed by Google, but still has widespread implications for edited screenshots shared before the update.
As described in thread posted by Aaarons on Twitter, the aptly named “aCropalypse” flaw allows someone to partially restore PNG screenshots edited in Markup. This includes scenarios where someone may have used the tool to cut out or scribble out their name, address, credit card number, or any other type of personal information that the screenshot may contain. A bad actor could use this vulnerability to reverse some of these changes and obtain information that users thought they had hidden.
In the upcoming FAQ page previously received from 9to5Google, Ahrens and Buchanan explain that this flaw exists because Markup saves the original screenshot to the same location as the edited one and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the next part of the original file remains after the new file is assumed to be finished.”
According to of Buchanan, this bug first appeared about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. This makes this even worse as older screenshots edited with Markup and shared on social media platforms can be vulnerable to the exploit.
The FAQ page states that while some sites, including Twitter, reprocess images posted on the platforms and remove them from the flaw, others, such as Discord, do not. Discord just patched the exploit in a recent update from January 17, meaning that edited images shared on the platform before that date may be at risk. It’s not yet clear if there are other affected sites or apps, and if so, which ones.
The example posted by Aarons (embedded above) shows a cropped image of a credit card posted on Discord that also has the card number blocked out with the black highlighter pen. After Ahrens downloads the image and exploits the aCropalypse vulnerability, the top part of the image is corrupted, but he can still see the parts that have been redacted in Markup, including the credit card number. You can read more about the technical details of the flaw in Buchanan’s blog post.
After Ahrens and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company fixed the issue in a March security update for the Pixel 4A, 5A, 7 and 7 Pro, classifying its severity as “high.” It’s unclear when this update will arrive for the other devices affected by the vulnerability, and Google did not immediately respond On the edgerequest for more information. If you want to see how the problem works for yourself, you can upload a screenshot edited with a non-updated version of the markup tool to this demo page created by Ahrens and Buchanan. Or you can check out some of the scary examples published on the web.
This flaw came to light just days after Google’s security team found that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and select Galaxy S22 and A53 models could allow hackers to “remotely compromise” devices using only the phone’s victim number. Google has since fixed the issue in its March update, though it’s not yet available for the Pixel 6, 6 Pro, and 6A devices.