aCropalypse Flaw Allows Recovery of Sensitive Data Removed From Pixel Screenshots, Researchers Say
Pixel smartphones were previously affected by a security flaw that could allow any user to restore sensitive details cropped or redacted from screenshots, according to data shared by security researchers. A security flaw in Google’s markup tool for Pixel smartphones allowed edited screenshot images to retain some of the original information, letting users recover details that were previously obfuscated by the sender. The vulnerability, which has existed for several years, has now been patched by Google on currently supported Pixel handsets.
Security researchers Simon Aarons and David Buchanan discovered a security flaw dubbed aCropalypse, that affects the markup tool used to crop, edit, and highlight screenshots on Pixel handsets. According to details shared by Buchanan, Android 10 introduced some changes to the system that caused data that had been edited out from screenshot to remain in the image. As a result, that data can be recovered by any user who received the image, including strangers on the Internet.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
In a thread on Twitter, Aarons explained how the aCropalypse vulnerability works using an image he sent to Discord user Retr0id using the popular communication app. An image of a credit card that has been cropped and redacted with the “black pen” tool is shown to be downloaded, then subjected to a recovery process that results in an uncropped image of a fake bank website with the same credit card, along with its number visible.
According to Aarons, if the edited screenshot in PNG format has a smaller file size, as is the case with many cropped images, then “the trailing portion of the original file is left behind, after the new file is supposed to have ended”. This trailing portion of the file can then be recovered, he adds. The researcher has also published a tool that demonstrates how the aCropalypse vulnerability functions, allowing users to upload a screenshot to try and recover the original file.
Meanwhile, a 9to5Google report citing an early access version of an FAQ page for the vulnerability, states that not all images shared online are affected by the image. Some platforms, such as Twitter, process all uploaded images in such a way that it is not affected by the aCropalypse security flaw. However, on platforms like Discord that share images as-is, users who have shared screenshots using their Pixel smartphones since Android 10 could be affected by the vulnerability.
Owners of the Pixel 4a, Pixel 5a, Pixel 7, and Pixel 7 Pro, can update to the latest March security release to install a security fix for the flaw (CVE-2023-21036) which has a “high” severity classification, as per the report. However, there’s no word from Google on when other supported Pixel phones will receive the fixes, or whether the company will update Pixel handsets that are no longer receiving software updates with a fix for the flaw.