Skip to main content

Pixel Markup vulnerability lets some screenshots be un-redacted, un-cropped; fixed by March update

Besides the Samsung Exynos modem issue, Android 13 QPR2 with the March 2023 security update fixes a vulnerability with the Pixel’s Markup screenshot tool.

Dubbed “aCropalypse,” Simon Aarons identified and reported this vulnerability (CVE-2023-21036) to Google in early January, with the initial proof-of-concept exploit developed by David Buchanan:

Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively un-cropped and un-redacted under many circumstances.

aCropalypse FAQ (coming soon)

The built-in Markup utility, released with Android 9 Pie in 2018, found on Pixel phones lets you edit (crop, add text, draw, and highlight) screenshots.

The problem

For example (as shared on Twitter), let’s say you upload a screenshot from a hypothetical bank app/website that includes a picture of your credit/debit card. You crop out everything save for the card and then use Markup’s Pen tool to black out the 16-digit number. You then share that message on a service, like Discord.

Given a vulnerability in how Markup works, somebody that downloads the image is able to perform a “partial recovery of the original, unedited image data of [the] cropped and/or redacted screenshot.” In the above case, a malicious party can remove the black lines and see the credit card number, as well as ~80% of the full screenshot, which might include other sensitive information.

”The top 20% of the image is corrupted, but the remainder of the image – including a photo of the credit card with its number visible – is fully recovered.”

This might be an issue if you shared screenshots with addresses, phone numbers, and other private info.

1: Original screenshot | 2: In Markup | 3: Cropped and drawn on image | 4: Using demo tool

What screenshots are affected?

The privacy impact of this bug stems from people sharing cropped images [that] unknowingly included extra data. Fortunately, most social media services re-process uploaded images, which strips the trailing data and mitigates the vulnerability. For example, Twitter is safe from acropalypse. The following is an incomplete list of known vulnerable services and apps commonly used to share images: (i.e. services that do not strip trailing image data)

  • Discord (as of the 17th of January, newly uploaded images are stripped of trailing data – however, any screenshot sent prior to that date is still vulnerable) (It’s unknown whether Google coordinated with Discord to make this change, or if it was coincidental)
aCropalypse FAQ (coming soon)

At the moment, screenshots uploaded to Discord before mid-January 2023 — a change to the service was made then — are known to be affected.

There is a demo tool where you can upload a screenshot and see if a previously shared image is impacted.

Technical explanation

When an image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended.

aCropalypse FAQ (coming soon)

The technical write-up with root cause analysis is available, and a FAQ is forthcoming.


The issue in Markup was fixed with the March 2023 security patch, with CVE-2023-21036 listed as having a “High” severity. That Pixel update is currently available for the Pixel 4a-5a, 7, and 7 Pro.

Updating…

Thanks David

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications