Google fixed a “High” severity bug affecting the Markup snapshot feature on the Pixel earlier this week when it started distributing Android’s March security patch. Reverse engineers Simon Aarons and David Buchanan revealed new details about the security weakness over the weekend, showing Pixel customers are still at risk of having their earlier photographs exposed due to the nature of Google’s supervision.
In essence, the “aCropalypse” bug allowed someone to erase at least some of the alterations made to a picture using a PNG snapshot that had been cropped in Markup. It’s simple to envision situations in which a terrible person would take advantage of such capacity. Someone may use the weakness to divulge personal information, for example, if a Pixel owner used Markup to redact an image that contained sensitive information about themselves. The technical information is available on Buchanan’s blog.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
The problem, according to Buchanan, has persisted for around five years, aligning with the 2018 release of Markup and Android 9 Pie. And there therein lies the issue. The security update from March will stop Markup from compromising photos in the future, but certain screenshots that Pixel users may have shared in the past may still be vulnerable.
How worried Pixel users should be about the problem is difficult to determine. A future FAQ page that Aarons and Buchanan shared with 9to5Google and The Verge will state that some websites, including Twitter, process photos in a way that prevents someone from using the flaw to reverse-edit a screenshot or image. Other platform users aren’t that fortunate. Aarons and Buchanan single out Discord, stating that the chat application didn’t fix the vulnerability until its most recent update on January 17. It’s currently unknown if photos published on other social media platforms and communication applications were similarly exposed.
