



A security flaw affecting Markup, the default screenshot editing utility for Google Pixels, could leave images partially unedited, revealing personal information the user chose to hide there is. The vulnerability, discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google, but the redacted screenshots shared before the update still have widespread impact.

As detailed in a thread posted on Twitter by Aaarons, the aptly named aCropalypse flaw allows someone to partially restore markup-edited PNG screenshots. This includes scenarios where someone may have used this tool to crop or scribble names, addresses, credit card numbers, or other types of personal information that may be included in screenshots. included. A malicious person could exploit this vulnerability to undo some of these changes and obtain information that the user thought was hidden.

On the following FAQ page, obtained early by 9to5Google, Aarons and Buchanan attribute this flaw to exist because Markup saved the original screenshots in the same file location where they edited them and never deleted the original versions. I’m explaining. If the edited version of the screenshot is smaller than the original file, the trailing portion of the original file will be left after the new file should have ended.

According to Buchanan, the bug first appeared about five years ago, around the same time Google introduced markup in its Android 9 Pie update. Years old screenshots edited with markup and shared on social media platforms can be vulnerable to exploits.

The FAQ page states that certain sites, including Twitter, reprocess images posted on the platform to remove imperfections, while others, such as Discord, do not. We just patched the exploit in the 17th update. This means that edited images shared to the platform prior to that date may be at risk. It’s not yet clear if there are any other sites or apps affected, and if so which ones.

The example posted by Aarons (embedded above) shows a cropped image of a credit card posted on Discord, with the card number blocked using the markup tool’s black pen . When Aarons downloads the image and exploits the aCropalypse vulnerability, the top of the image is corrupted, but the markup-edited parts (such as credit card numbers) are still visible. For more technical details on this flaw, see Buchanans’ blog post.

After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company released a high-severity security update for Pixel 4A, 5A, 7, and 7 Pro in March. I have applied a patch for this issue. It’s unclear when this update will reach other affected devices, and Google didn’t immediately respond to The Verges’ request for more information. If you want to see how the problem works for yourself, you can upload a screenshot edited with an unupdated version of the markup tools to this demo page created by Aarons and Buchanan. Or you can check some horrible examples posted on the web.

The flaw was discovered by Google’s security team that Samsung Exynos modems, included in Pixel 6, Pixel 7, and some Galaxy S22 and A53 models, allow hackers to remotely compromise a device using just the victim’s phone number. It became clear after a few days of discovering that it could. Google has since patched the issue in his March update, which is not yet available on his Pixel 6, 6 Pro, and 6A devices.

