Technology Google Pixel 'aCropalypse' exploit flips edited parts of screenshots

Google Pixel ‘aCropalypse’ exploit flips edited parts of screenshots


- Advertisment -

A security flaw affecting the Google Pixel’s default screenshot editing tool, Markup, causes images to become partially “raw”, potentially revealing the personal information users have hidden, such as previously noted by 9to5Google And android police. The vulnerability, that was discovered by reverse engineers Simon Aaarons and David Buchanan, has since been patched by Google, but still has widespread implications for the edited screenshots shared prior to the update.

As described in a thread Aaarons posted on Twitter, the aptly named “aCropalypse” error allows someone to partially restore PNG screenshots edited in Markup. That includes scenarios where someone may have used the tool to crop or scribble their name, address, credit card number, or other personal information contained in the screenshot. An attacker could exploit this vulnerability to revert some of those changes and obtain information that users thought they had hidden.

In an upcoming FAQ page obtained early 9to5Google, Aarons and Buchanan explain that this error exists because Markup saves the original screenshot in the same file location as the edited one and never deletes the original version. If the edited version of the screenshot is smaller than the original, “the last part of the original file will be left after the new file would have ended.”

According to to Buchanan, this bug first appeared about five years ago, around the same time Google introduced Markup with the Android 9 Pie update. That’s what makes this all the worse, as older screenshots from years edited with Markup and shared on social media platforms could be vulnerable to the exploit.

The FAQ page states that while certain sites, including Twitter, reprocess the images posted to the platforms and remove the error, others, such as Discord, do not. Discord only just patched the exploit in a recent Jan. 17 update, meaning edited images shared on the platform before that date may be at risk. It’s still not clear if there are other affected sites or apps, and if so, which ones.

The example posted by Aarons (embedded above) shows a cropped image of a credit card posted to Discord, with the card number also blocked using the Markup tool’s black pen. Once Aarons downloads the image and exploits the aCropalypse vulnerability, the top part of the image becomes corrupted, but he can still see the parts that were removed in Markup, including the credit card number. You can read more about the technical details of the error in Buchanan’s blog post.

After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company patched the issue in March security update for the Pixel 4A, 5A, 7, and 7 Pro with the severity rated as ‘high’. It’s unclear when this update will be available for the other devices affected by the vulnerability, and Google hasn’t immediately commented The edgerequest for more information. If you want to see how the problem works for yourself, you can upload a screenshot edited with an unupdated version of the Markup tool to this demo page created by Aarons and Buchanan. Or you can check out some of the scary examples posted on the internet.

This flaw came to light just days after Google’s security team discovered that the Samsung Exynos modems in the Pixel 6, Pixel 7, and certain Galaxy S22 and A53 models could allow hackers to compromise devices remotely using only a victim’s phone number. Google has since patched the issue in its March update, although it’s still not available for the Pixel 6, 6 Pro, and 6A devices.

Shreya Christina
Shreya has been with for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider team, Shreya seeks to understand an audience before creating memorable, persuasive copy.


Please enter your comment!
Please enter your name here

Latest news

What is the US debt ceiling? Deadline, limit, standard explained

In January, the US hit its $31.4 trillion debt limit, meaning the federal...

Amazon’s Ring agrees to pay $5.8 million to settle FTC espionage case

The settlement focuses on a lawsuit filed Wednesday by the FTC accusing Ring of unlawfully defrauding its customers about...

A conversation with United States Trade Representative Katherine Tai

Since 1938, May has been recognized as World Trade Month, recognizing the importance of international trade to the US...

Aporia and Databricks are collaborating to improve real-time monitoring of ML models

Join top executives in San Francisco on July 11-12 to hear how leaders are integrating and optimizing AI investments...
- Advertisement -

San Francisco launches ‘expensive’ commercial to boost tourism

San Francisco's had an outpouring of bad press lately — from major retailers...

Google is quietly ending support for the decade-old Chromecast

Google has ended support for the original Chromecast, about a decade after the launch of the $35 streaming stick...

Must read

- Advertisement -

You might also likeRELATED
Recommended to you