When Google started rolling out Android , the company addressed a high-severity vulnerability related to the Pixel’s markup screenshot tool. over the weekend, and The reverse engineer who discovered CVE-2023-21036.
Simply put, the “aCropalypse” flaw allowed someone to take a PNG screenshot that was cropped with markup and undo at least some of the edits to the image. It’s easy to imagine scenarios where a malicious person could abuse that feature. For example, if a pixel’s owner used markup to edit an image that contained sensitive information about themselves, someone could exploit the flaw to reveal that information. about, .
Introducing acropalypse: A critical privacy vulnerability in Markup, Google Pixel’s built-in screenshot editing tool, allowing partial recovery of original, unedited image data for cropped and/or edited screenshots tobig thanks to @David 3141593 for his help! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
According to Buchanan, the vulnerability has been around for about five years, around the time Markup was released. And there lies the problem. A security patch in March prevents Markup from compromising future images, but some screenshots that Pixel users may have shared in the past are still at risk.
It’s hard to say how concerned Pixel users should be about this flaw. Shared by Aarons and Buchanan and , some websites, including Twitter, process images in such a way that someone cannot exploit this vulnerability to reverse edit screenshots and images. Users of other platforms are not so lucky. Aarons and Buchanan specifically identified his Discord and chat app recently pointing out that he hadn’t patched the exploit until the January 17th update. At this time, it is unknown if images shared on other social media or chat apps suffered similar vulnerabilities.
Google did not immediately respond to Engadget’s comment and request for more information. The March security update is now available for Pixel 4a, 5a, 7, and 7 Pro. This means Markup may generate vulnerable images on some Pixel devices. It’s unclear when Google will push the patch to his other Pixel devices. If you own an unpatched Pixel phone, do not share sensitive images with markup.