When Google started rolling out Android , the company has fixed a “high” severity vulnerability involving Pixel’s Markup screenshot tool. During the weekend, And reverse engineers who discovered CVE-2023-21036, have shared more information about the security flaw, revealing that Pixel users are still at risk of their old images being compromised due to the nature of monitoring Google.
In short, the “aCropalypse” flaw allowed someone to take a cropped PNG screenshot in Markup and undo at least some of the changes to the image. It’s easy to imagine scenarios where a bad actor might abuse this ability. For example, if a Pixel owner used Markup to hide an image containing sensitive information about themselves, someone could exploit the flaw to reveal that information. You will find the technical details on .
Introducing Acropalypse: A severe privacy vulnerability in Google Pixel’s built-in screenshot editing tool, Markup, allowing partial recovery of original, unaltered image data from a cropped screenshot and/or redacted. A big thank you to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
According to Buchanan, the rift has been around for about five years, coinciding with the release of Markup alongside . And therein lies the problem. While the March security patch will prevent Markup from compromising future images, some screenshots that Pixel users may have shared in the past are still at risk.
It’s hard to say how concerned Pixel users should be about the flaw. According to a next Aarons and Buchanan shared with And , some websites, including Twitter, process images in such a way that no one can exploit the vulnerability to reverse editing a screenshot or image. Users on other platforms are not so lucky. Aarons and Buchanan specifically identify Discord, noting that the chat app didn’t fix the exploit until its recent January 17 update. At this time, it’s unclear whether images shared on other social media and chat apps have been left just as vulnerable.
Google did not immediately respond to Engadget’s request for comment and additional information. The March security update is currently available on Pixel 4a, 5a, 7, and 7 Pro, which means Markup may still produce vulnerable images on some Pixel devices. It’s unclear when Google will release the patch to other Pixel devices. If you own a Pixel phone without the patch, avoid using Markup to share sensitive images.