Google’s Pixel phone comes with a screenshot editing tool called Markup that has been exposed to a security flaw that could cause users’ edited screenshots to be partially restored, exposing private information that users want to hide. The vulnerability was first revealed by reverse engineers Simon Aaarons and David Buchanan, and Google has fixed the vulnerability in a security update in March, but screenshots shared online by users before the update are still at risk.
According to a Twitter post by Aaarons, the vulnerability, known as “aCropalypse,” could allow partial restoration of PNG-formatted screenshots edited with Markup, such as when users use the tool to crop or smear their name, address, credit card number or other private information. Any private information could be reverted, which could be used to obtain private information that the user thought was hidden from view.
Aaarons and Buchanan explained that the vulnerability exists because Markup saves the original screenshot in the same file location as the edited screenshot and never removes the original version.
According to Buchanan, the vulnerability first appeared about five years ago, around the same time Google introduced Markup in its Android 9 Pie update, making the situation even worse because old screenshots edited with Markup and shared on social media platforms could be at risk.
While some sites (including Twitter) will reprocess images uploaded to the platform and remove the vulnerability, others (such as Discord) do not. It is unclear if there are other affected sites or apps.
An example posted by Aaarons (above) shows an edited image of a credit card with the card number obscured with the Markup tool’s black pen. When Aaarons downloaded the image and processed it using the aCropalypse vulnerability, the top of the image became corrupted, but he could still see the edited parts in Markup, including the credit card number.
Google has fixed the vulnerability in a March security update, categorizing its severity as “high.” The update is currently available for models like the Pixel 4a, 5a, 7, and 7 Pro, meaning Markup may still produce vulnerable images on some Pixel devices. It’s unclear when Google will push this patch to other Pixel devices.
