Google Pixel's default editing tool may not have been the safest choice for removing personal information in photos.
Reverse engineers recently discovered that Google Pixel's Markup photo editing tool allows images to become partially unedited, potentially revealing people's personal information.
The reverse engineers already reported the security flaw to Google in January, with the search giant patching it out in a security update released in March.
Google Pixel Markup Exploit Details
New blog post alert: "Exploiting aCropalypse: Recovering Truncated PNGs"https://t.co/9S2wfZbPrx https://t.co/yiR8egjLV8
— David Buchanan (@David3141593) March 18, 2023
Reverse Engineers Simons Aarons and David Buchanan posted on a Twitter thread about a security flaw they discovered in Google Pixel's Markup. According to them, the flaw, which they aptly named "the aCropalypse," makes it possible for someone to partially recover PNG screenshots edited in Google Pixel's Markup editing tool.
This security flaw allows other people to slightly view a photo's unedited version and view the information people originally removed or covered with the editing app. If a hacker or cybercriminal knows about this vulnerability, they could reverse some of those changes and obtain information users thought they already hid by editing them out.
Aarons and Buchanan mentioned in an FAQ page that the flaw exists because Markup saves and never deletes the original screenshot in the same file location as the edited one, per 9to5Google. If the original photo is bigger than its edited version, the original photo leaves a "trailing portion" after its new, edited version is supposed to have ended.
Read More: Assassin's Creed Codename Red Might Feature a Samurai and Shinobi
This trailing portion is the one responsible for revealing users' personal information. Unfortunately, Buchanan mentioned that the bug first emerged around 2018, the same year Google introduced Markup with the Android 9 Pie update.
New blog post alert: "Exploiting aCropalypse: Recovering Truncated PNGs"https://t.co/9S2wfZbPrx https://t.co/yiR8egjLV8
— David Buchanan (@David3141593) March 18, 2023
This period means that hackers and cybercriminals had around five years to exploit this vulnerability on all the screenshots people took, edited, and posted on their various social media accounts. Aarons and Buchanan mentioned in the FAQ page that while certain social media platforms like Twitter re-process images posted on them and remove the trailing portion of the original unedited file from its edited counterpart, others, like Discord, don't.
Although Discord already fixed the problem in a Jan. 17 update, the number of social media platforms that don't strip the trailing portion of images edited with Google Pixel's Markup is still unclear.
Google's Response
Aarons informed Google of the security flaw, labeled as vulnerability CVE-2023-21036, to Google in early January, with Buchanan developing the initial proof-of-concept exploit. The search giant promptly created a patch to fix the security flaw in the March security update for its Google Pixel devices, per Android Police.
The Verge mentioned that the March security update labeled the security flaw as a high-severity vulnerability, though the patch fixing it is not available for devices affected by it.
As of press time, the update is only for people using Google Pixels 4A, 5A, and 7 Pro.
Google has yet to provide more information about the vulnerability and when its patch will be available to its other devices.
Related Article: Google Fired Employees on Medical Leave During Layoffs
