Two security researchers warned of a serious vulnerability found in Google‘s Pixel phones that allows users to reveal parts of screenshots edited using the Markup screenshot editing tool that is present by default in Pixel phones.
Security researchers (Simon Aarons) and (David Buchanan) highlighted the vulnerability, which they called aCropalypse, in a tweet on Twitter, in which they said that the vulnerability allows the recovery of parts that users have hidden from screenshots by camouflaging them, which exposes sensitive personal information to the user such as his name, address and phone number. His credit card or any other hidden information to reveal.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
According to the researchers, the vulnerability existed five years ago, which is when Google released Markup when it released the Android 9 update in 2018. Although Google released a security update to fix the vulnerability recently, the risk is that edits can be reversed on images modified before this update.
The researchers said that the reason for the vulnerability is that the Markup application saves the original snapshot information within the image file itself, without deleting the image information that the user has hidden. This means that the hidden information can be retrieved by applying some reverse engineering algorithms to the image file.
This means that images edited using the aforementioned tool, which have been posted on social networks for years, are still vulnerable to exploitation. The researchers pointed out that some social networks, such as Twitter, compress the images uploaded to the platform in a way that strips these images of their original information, which makes it impossible to retrieve sensitive information from them. However, other services do not make any modifications to the images uploaded to them, which makes them vulnerable to exploitation. For example, the researchers cited the Discord chat application, which issued an update to fix the vulnerability on January 17, but the modified images that users shared on the platform before that date may be at risk.