Skip to content
Besides the Samsung Exynos modem issue, Android 13 QPR2 with the March 2023 security update fixes a vulnerability with the Pixel’s Markup screenshot tool.
Dubbed “acropalypse” Simon Aarons identified and reported This weakness (CVE-2023-21036) to Google in early January, with an initial proof-of-concept exploit developed by David Buchanan:
Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively cropped and unretouched under various circumstances.
aCropalypse FAQ (coming soon)
The built-in Markup tool, released with Android 9 Pie in 2018, and found in Pixel phones, lets you edit (crop, add text, draw, and highlight) screenshots.
the problem
For example (as shared on Twitter), let’s say you upload a screenshot from a virtual bank app/website that includes a picture of your credit/debit card. You cut out everything saved to the card and then use Markup’s Pen to block out the 16-digit number. You can then share this message on a service, such as Discord.
Because of a security flaw in how Markup works, the person downloading the image is the able to perform Partial recovery of the original unedited image data of [the] Cropped and/or redacted screenshot.” In the above case, a malicious party could remove the black lines and see the credit card number, as well as approximately 80% of the full screenshot, which may include other sensitive information.
“The top 20% of the photo is damaged, but the rest of the photo – including the credit card photo with its visible number – has been fully recovered.”
This can be a problem if you share screenshots with addresses, phone numbers, and other private information.
1: Original screenshot | 2: in profile | 3: Crop it and draw it on the photo | 4: using the display tool
What screenshots are affected?
The privacy impact of this bug stems from people sharing cropped images [that] Inadvertently included additional data. Luckily, Most Social media services reprocess uploaded images, removing redundant data and mitigating vulnerability. For example, Twitter is safe from acropalypse. Below is an incomplete list of Weak known Services and apps commonly used to share photos: (i.e. services that don’t strip excess photo data)
- Discord (As of January 17th, newly uploaded images are stripped of post-data – however, any screenshot submitted before that date is still vulnerable) (It is unknown if Google coordinated with Discord to make this change, or if it was a coincidence)
aCropalypse FAQ (coming soon)
Currently, screenshots uploaded to Discord before mid-January 2023 — a change was made to the service at that time — are known to be affected.
There is a viewing tool where you can upload a screenshot and see if the previously shared image is affected.
Technical explanation
When an image is cropped using Markup, it saves the modified version in the same location as the original file. However, it does not erase the original file before writing the new file. If the new file is smaller, the later part of the original file will be left over, after the new file is finished.
aCropalypse FAQ (coming soon)
Technical writing with root cause analysis is available, and FAQs are available Coming, outspoken, appearing.
The issue has been fixed in Markup with the March 2023 security patch, with CVE-2023-21036 listed as having a “high” severity. This Pixel update is currently available for Pixel 4a-5a, 7, and 7 Pro.
Updating…
Thanks David
FTC: We use affiliate links to earn income. more.
Check out 9to5Google on YouTube for more news:
