Google Pixel ‘aCropalypse’ exploit reverses edited parts of screenshots


A security flaw affecting the Google Pixel’s default screenshot editing utility, Markup, allows images to become partially “unedited,” potentially revealing the personal information users chose to hide, as spotted earlier by 9to5Google and Android Police. The vulnerability, which was discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google but still has widespread implications for the edited screenshots shared prior to the update.

As detailed in a thread Aaarons posted on Twitter, the aptly-named “aCropalypse” flaw makes it possible for someone to partially recover PNG screenshots edited in Markup. That includes scenarios where someone may have used the tool to crop or scribble out their name, address, credit card number, or any other kind of personal information the screenshot may contain. A bad actor could exploit this vulnerability to reverse some of those changes and obtain information users thought they had been hiding.

In a forthcoming FAQ page obtained early by 9to5Google, Aarons and Buchanan explain that this flaw exists because Markup saves the original screenshot in the same file location as the edited one, and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the trailing portion of the original file is left behind, after the new file is supposed to have ended.”

According to Buchanan, this bug first emerged about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. That’s what makes this all the worse, as years-worth of older screenshots edited with Markup and shared on social media platforms could be vulnerable to the exploit.

The FAQ page states that while certain sites, including Twitter, re-process the images posted on the platforms and strip them of the flaw, others, such as Discord, don’t. Discord only just patched the exploit in a recent January 17th update, which means edited images shared to the platform before that date may be at risk. It’s still not clear whether there are any other affected sites or apps and if so, which ones they are.

The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, which also has the card number blocked out using the Markup tool’s black pen. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top part of the image becomes corrupted, but he can still see the pieces that were edited out in Markup, including the credit card number. You can read more about the technical details of the flaw in Buchanan’s blog post.

After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company patched the issue in a March security update for the Pixel 4A, 5A, 7, and 7 Pro with its severity classified as “high.” It’s unclear when this update will arrive for the other devices affected by the vulnerability, and Google didn’t immediately respond to The Verge’s request for more information. If you want to see how the issue works for yourself, you can upload a screenshot edited with a non-updated version of the Markup tool to this demo page created by Aarons and Buchanan. Or, you can check out some of the scary examples posted on the web.

This flaw came to light just days after Google’s security team found that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and select Galaxy S22 and A53 models could allow hackers to “remotely compromise” devices using just a victim’s phone number. Google has since patched the issue in its March update, although this still isn’t available for the Pixel 6, 6 Pro, and 6A devices yet.

#Google #Pixel #aCropalypse #exploit #reverses #edited #parts #screenshots


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *