Technology Google Pixel 'aCropalypse' exploit flips edited parts of screenshots

Google Pixel ‘aCropalypse’ exploit flips edited parts of screenshots

-

A security flaw affecting the Google Pixel’s default screenshot editing tool, Markup, causes images to become partially “raw”, potentially revealing the personal information users have hidden, such as previously noted by 9to5Google And android police. The vulnerability, that was discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google, but still has widespread implications for the edited screenshots shared prior to the update.

As described in a thread Aaarons posted on Twitter, the aptly named “aCropalypse” error allows someone to partially restore PNG screenshots edited in Markup. That includes scenarios where someone may have used the tool to crop or scribble their name, address, credit card number, or other personal information contained in the screenshot. An attacker could exploit this vulnerability to revert some of those changes and obtain information that users thought they had hidden.

In an upcoming FAQ page obtained early 9to5Google, Aarons and Buchanan explain that this error exists because Markup saves the original screenshot in the same file location as the edited one and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the last part of the original file will be left after the new file would have ended.”

According to to Buchanan, this bug first appeared about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. That’s what makes this all the worse, as older screenshots from years edited with Markup and shared on social media platforms could be vulnerable to the exploit.

The FAQ page states that while certain sites, including Twitter, reprocess the images posted to the platforms and remove the error, others, such as Discord, do not. Discord only just patched the exploit in a recent Jan. 17 update, meaning edited images shared on the platform before that date may be at risk. It’s still not clear if there are other affected sites or apps, and if so, which ones.

The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, with the card number also blocked using the Markup tool’s black pen. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top part of the image becomes corrupted, but he can still see the parts that were removed in Markup, including the credit card number. You can read more about the technical details of the error in Buchanan’s blog post.

After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company patched the issue in March security update for the Pixel 4A, 5A, 7, and 7 Pro with the severity rated as ‘high’. It’s unclear when this update will be available for the other devices affected by the vulnerability, and Google hasn’t immediately commented The edgerequest for more information. If you want to see how the problem works for yourself, you can upload a screenshot edited with an unupdated version of the Markup tool to this demo page created by Aarons and Buchanan. Or you can check out some of the scary examples posted on the internet.

This flaw came to light just days after Google’s security team discovered that the Samsung Exynos modems in the Pixel 6, Pixel 7, and certain Galaxy S22 and A53 models could allow hackers to compromise devices remotely using only a victim’s phone number. Google has since patched the issue in its March update, although it’s still not available for the Pixel 6, 6 Pro, and 6A devices.


Shreya Christinahttp://ukbusinessupdates.com
Shreya has been with ukbusinessupdates.com for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider ukbusinessupdates.com team, Shreya seeks to understand an audience before creating memorable, persuasive copy.

Latest news

Pin Up 306 Casino Başlanğıc Qeydiyyat, Bonuslar, Yukle Observatório Astronómico Professor Manuel De Barros 400

ContentPin Up On Line Casino Ilk Depozit Qeydiyyatı BonusuPin-up On Line Casino Necə Qeydiyyatdan ötmək Olar?Pin Up Yukle Azerbaycan...

Самые популярные Слоты И Игры Для Онлайн-казино > > Играйте Бесплатно

Самые популярные Слоты И Игры Для Онлайн-казино > > Играйте Бесплатно!Игры В Казино: Онлайн-казино Бесплатные Азартные ИгрыContentРекомендуемые Онлайн-казино"Регистрация...

1xbet Ao Vivo: Saiba Asi Como Funciona O Streaming Da Casa

ContentBet ApostasBet365 Friendly StreamingBem-vindo Ao Site Do Epa SupermercadosPokerBet Buffering De TênisBet Ao Vivo: Entenda Como Funciona O Streaming...

Onlayn Ödəniş Sistemi Ödəmələr, Pul Köçürmələri

ContentVar-yox Deyilsən!Mostbet-də Qeydiyyat Və YoxlamaMostbet BonuslarıCihazlarınızda 1xbet Tətbiqetməsini YükləyinBet Mobil Versiya Güzgüsü Kompüterlərdə IstifadəsiBet Mobi Versiya – İstifadəsi Daha...

1xbet Seyrək Rəsmi Sayt 1xbet Azərbaycan Bukmeker Kontoru, Bonuslar, Apk

Portalın formal görünüşü onun təzə ziyarətçilərinin gözləntilərinə cavab verir. Lisenziyanın olması təhlükəsizliklə bağlı yarana biləcək narahatlıqlar olmadan mərclərin yerləşdirilməsinin...

10 лучших Игр Онлайн-казино, и Которых Можно Играть Ради Крупных Выигрыше

10 лучших Игр Онлайн-казино, и Которых Можно Играть Ради Крупных ВыигрышейБесплатные Онлайн-слоты 14 000 Слотов В ДемоверсииContentКазино Гуру малоизвестныеЧасто...

Must read

You might also likeRELATED
Recommended to you