Google's Android platform has once again been hit by a security vulnerability, this time affecting the Pixel's Markup screenshot tool. Reverse engineers Simon Aarons and David Buchanan discovered the flaw, which they dubbed the "aCropalypse," and it has been present since Markup was released alongside Android 9 Pie in 2018.
The "aCropalypse" vulnerability allows bad actors to take a PNG screenshot cropped in Markup and undo at least some of the edits in the image, potentially revealing sensitive information that was previously redacted by a Pixel owner using Markup. The severity of the vulnerability is rated as "High," and it has existed for around five years, leaving Pixel users who have shared images in the past at risk.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
While the March security patch prevents Markup from compromising future images, it does not protect previously shared images. The vulnerability also varies across different platforms, with some like Twitter processing images in a way that prevents someone from exploiting the flaw to reverse edit a screenshot or image. However, other platforms such as Discord remained vulnerable to the exploit until a recent update.
As of now, Google has not yet responded to requests for comment and further information about the flaw. The March security update is currently available on Pixel 4a, 5a, 7, and 7 Pro, meaning Markup can still produce vulnerable images on some Pixel devices. It is unclear when the patch will be rolled out to other Pixel devices. As a precaution, Pixel users are advised to avoid using Markup to share sensitive images if they do not have the patch.
To prevent falling victim to this vulnerability, users should refrain from sharing sensitive images using Markup until they have installed the patch. It is also recommended to be cautious when sharing any sensitive information online and only share information with trusted sources.
In conclusion, the "aCropalypse" flaw in the Pixel's Markup screenshot tool raises significant concerns about the security of sensitive images shared on Pixel devices. It is crucial for users to take precautions and avoid sharing sensitive images until they have installed the patch. Google needs to address this issue urgently and provide updates for all affected devices.
0 Comments