The Pixel Markup vulnerability allows screenshots to not be retouched

Besides the Samsung Exynos modem issue, Android 13 QPR2 with the March 2023 security update fixes a vulnerability with the Pixel’s Markup screenshot tool.

Dubbed “acropalypse” Simon Aarons identified and reported This weakness (CVE-2023-21036) to Google in early January, with an initial proof-of-concept exploit developed by David Buchanan:

Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively cropped and unretouched under various circumstances.

aCropalypse FAQ (coming soon)

The built-in Markup tool, released with Android 9 Pie in 2018, and found in Pixel phones, lets you edit (crop, add text, draw, and highlight) screenshots.

the problem

For example (as shared on Twitter), let’s say you upload a screenshot from a virtual bank app/website that includes a picture of your credit/debit card. You cut out everything saved to the card and then use Markup’s Pen to block out the 16-digit number. You can then share this message on a service, such as Discord.

Because of a security flaw in how Markup works, the person downloading the image is the able to perform Partial recovery of the original unedited image data of [the] Cropped and/or redacted screenshot.” ​​In the above case, a malicious party could remove the black lines and see the credit card number, as well as approximately 80% of the full screenshot, which may include other sensitive information.

“The top 20% of the photo is damaged, but the rest of the photo – including the credit card photo with its visible number – has been fully recovered.”

This can be a problem if you share screenshots with addresses, phone numbers, and other private information.

1: Original screenshot | 2: in profile | 3: Crop it and draw it on the photo | 4: using the display tool

What screenshots are affected?

The privacy impact of this bug stems from people sharing cropped images [that] Inadvertently included additional data. Luckily, Most Social media services reprocess uploaded images, removing redundant data and mitigating vulnerability. For example, Twitter is safe from acropalypse. Below is an incomplete list of Weak known Services and apps commonly used to share photos: (i.e. services that don’t strip excess photo data)

  • Discord (As of January 17th, newly uploaded images are stripped of post-data – however, any screenshot submitted before that date is still vulnerable) (It is unknown if Google coordinated with Discord to make this change, or if it was a coincidence)

aCropalypse FAQ (coming soon)

Currently, screenshots uploaded to Discord before mid-January 2023 — a change was made to the service at that time — are known to be affected.

There is a viewing tool where you can upload a screenshot and see if the previously shared image is affected.

Technical explanation

When an image is cropped using Markup, it saves the modified version in the same location as the original file. However, it does not erase the original file before writing the new file. If the new file is smaller, the later part of the original file will be left over, after the new file is finished.

aCropalypse FAQ (coming soon)

Technical writing with root cause analysis is available, and FAQs are available Coming, outspoken, appearing.

The issue has been fixed in Markup with the March 2023 security patch, with CVE-2023-21036 listed as having a “high” severity. This Pixel update is currently available for Pixel 4a-5a, 7, and 7 Pro.


Thanks David

FTC: We use affiliate links to earn income. more.

Check out 9to5Google on YouTube for more news:


Leave a Reply

Your email address will not be published. Required fields are marked *


The Diablo IV Beta is making us kinda geeky as hell

Diablo IVThe open beta is finally over, which means we won’t get another chance to play the loot-grinding RPG until it drops on June 6th. Now that most everyone is in Kotaku Given the opportunity to check out Hell (or at least the emissaries of it we encountered in the early game), we decided to […]

Read More

Check out the full leaked specifications of the upcoming Motorola Edge 40 and Edge 40 Pro

Although Motorola is still not ranked among the top ten smartphone vendors in the world, devices such as Edge (2022) and Edge+ (2022) has certainly made waves over the past year or so with its bang for the buck, significantly boosting brand awareness in key markets like the US. It doesn’t take a rocket scientist […]

Read More

How to use Astrophoto mode on a Samsung Galaxy phone

Among the many new camera features that have been added to the Galaxy S22 family is a new Astrophoto mode that can turn the dark night sky into a gorgeous canvas of stars. All you need is your phone, Samsung Expert RAW app, and a tripod. Since the launch of these phones, Samsung has extended […]

Read More