The Google Pixel exploit reverses the modified portions of the screenshots
/cdn.vox-cdn.com/uploads/chorus_asset/file/24100063/226337_Pixel_7_and_7_Pro_AKrales_0110.jpg){kind=tracking}
A security flaw affecting the Google Pixel’s default screenshot editing tool, Markup, allows images to become partially “unmodified”, potentially revealing personal information that users have chosen to hide, such as spotted earlier 9to5Google And Android Police. weakness that was Reverse engineers discovered it Simon Aaarons and David Buchanan have since corrected Google but still have widespread implications on edited screenshots shared before the update.
As detailed in Arons topic posted on Twitter, the flaw called “aCropalypse” makes it possible for someone to partially restore PNG screenshots edited in Markup. This includes scenarios where someone may have used the tool to crop or write their name, address, credit card number, or any other type of personal information that the screenshot might contain. A bad actor could exploit this vulnerability to reverse some of those changes and get information that users thought they were hiding.
In the near future FAQ page It was obtained in advance 9to5GoogleAarons and Buchanan explain that this flaw exists because Markup saves the original screenshot in the same location as the edited file, and never deletes the original version. If the modified version of the screenshot is smaller than the original, “the later part of the original file is left behind, after the new file is supposed to be finished.”
according to BuchananThis bug first appeared about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. This makes this even worse, as old screenshots edited with Markup and shared on social media platforms could be vulnerable to exploitation.
The FAQ page states that while some sites, including Twitter, reprocess and deface images posted to the platforms, others, such as Discord, do not. Discord only patched the vulnerability in its latest update on January 17th, which means edited photos shared on the platform before that date could be at risk. It is still not clear if any other websites or apps are affected and if so, which ones.
The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, which also has the card number masked out using the markup tool’s black pen. Once Aarons downloads the image and exploits the acropalypse vulnerability, the top of the image becomes corrupted, but he can still see the pieces that were edited in Markup, including the credit card number. You can read more about the technical details of the defect Buchanan’s blog post.
After Aarons and Buchanan reported the bug (CVE-2023-21036) to Google in January, the company patched the issue in March. Security update For Pixel 4A, 5A, 7, and 7 Pro devices with a severity rating of “High”. It is not clear when this update will reach other devices affected by the vulnerability, and Google did not immediately respond the edgefor more information. If you want to see how the problem works yourself, you can upload a screenshot that was edited with an out-of-date version of the Markup Tool to this demo page Created by Aarons and Buchanan. Or you can check out some files scary Examples Published on the web.
The flaw appeared just days after Google’s security team discovered that Samsung Exynos modems are built into the Pixel 6 and Pixel 7 phones, and select Galaxy S22 and A53 models. It could allow hackers to “remotely hack into devices” Using only the victim’s phone number. Google has since patched the issue in its March update, though this still isn’t available for Pixel 6, 6 Pro, and 6A devices just yet.
