Google has since patched the Markup vulnerability, but that doesn’t have an effect on the edited screenshots shared online before the update.
A security flaw affecting the Google Pixel’s default screenshot editing utility, Markup, allows images to become partially “unedited,” potentially revealing the personal information users chose to hide, as spotted earlier by 9to5Google and Android Police. The vulnerability, which was discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google but still has widespread implications for the edited screenshots shared prior to the update.
As detailed in a thread Aaarons posted on Twitter, the aptly-named “aCropalypse” flaw makes it possible for someone to partially recover PNG screenshots edited in Markup. That includes scenarios where someone may have used the tool to crop or scribble out their name, address, credit card number, or any other kind of personal information the screenshot may contain. A bad actor could exploit this vulnerability to reverse some of those changes and obtain information users thought they had been hiding.
In a forthcoming FAQ page obtained early by 9to5Google, Aarons and Buchanan explain that this flaw exists because Markup saves the original screenshot in the same file location as the edited one, and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the trailing portion of the original file is left behind, after the new file is supposed to have ended.”
According to Buchanan, this bug first emerged about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. That’s what makes this all the worse, as years-worth of older screenshots edited with Markup and shared on social media platforms could be vulnerable to the exploit.
The FAQ page states that while certain sites, including Twitter, re-process the images posted on the platforms and strip them of the flaw, others, such as Discord, don’t. Discord only just patched the exploit in a recent January 17th update, which means edited images shared to the platform before that date may be at risk. It’s still not clear whether there are any other affected sites or apps and if so, which ones they are.
The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, which also has the card number blocked out using the Markup tool’s black pen. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top part of the image becomes corrupted, but he can still see the pieces that were edited out in Markup, including the credit card number. You can read more about the technical details of the flaw in Buchanan’s blog post.
After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company patched the issue in a March security update for the Pixel 4A, 5A, 7, and 7 Pro with its severity classified as “high.” It’s unclear when this update will arrive for the other devices affected by the vulnerability, and Google didn’t immediately respond to The Verge’s request for more information. If you want to see how the issue works for yourself, you can upload a screenshot edited with a non-updated version of the Markup tool to this demo page created by Aarons and Buchanan. Or, you can check out some of the scary examples posted on the web.
This flaw came to light just days after Google’s security team found that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and select Galaxy S22 and A53 models could allow hackers to “remotely compromise” devices using just a victim’s phone number. Google has since patched the issue in its March update, although this still isn’t available for the Pixel 6, 6 Pro, and 6A devices yet.