A dangerous security hole has been discovered in the default screenshot editing application on Google’s flagship smartphone, Google Pixel.
The editing utility called ‘Markup’ allows images to become partially “unedited,” which may reveal details the sender wanted to hide.
“Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot,” tweeted Simon Aaarons, the reverse engineer who discovered the vulnerability along with David Buchanan.
Although Google has fixed the vulnerability, its impact is still far-reaching, particularly for the edited screenshots that were shared before the update.
According to Aaarons’ Twitter thread, a vulnerability known as the “acropalypse” flaw can partially recover edited PNG screenshots in Markup. This poses a risk for users who may have used the tool to crop or scribble out sensitive information, such as their personal details or credit card number, as a malicious actor could exploit the flaw to reverse the changes and obtain the hidden information.
According to Aarons and Buchanan, the flaw is due to Markup’s behavior of storing the original screenshot in the same file location as the edited one, without deleting the original version. As explained, if the edited version of the screenshot has a smaller file size than the original, “the trailing portion of the original file is left behind, after the new file is supposed to have ended.”
“This bug is a bad one. You can patch it, but you can’t easily un-share all the vulnerable images you may have sent. The bug existed for about 5 years before being patched, which is mind-blowing given how easy it is to spot when you look closely at an output file,” wrote Buchanan.
iPhone has a feature to remove Medadata
The problem only exists in the Google Pixel devices, whereas Apple’s iPhone has the feature to share files with or without metadata.
iPhones provide three options: “save without metadata, share without metadata, and share with metadata.”
Although some websites like Twitter re-process the images uploaded on their platforms to remove the flaw, others like Discord do not. Discord only addressed the vulnerability with a recent update released on January 17th, meaning any edited images shared before that date may still be at risk.
It remains uncertain whether there are any other sites or applications that are affected by the flaw. Buchanan has explained this issue with technical details in a blog post.
“IMHO, the takeaway here is that API footguns should be treated as security vulnerabilities,” wrote Buchanan.
The discovery of this flaw occurred shortly after Google’s security team uncovered a vulnerability in the Samsung Exynos modems found in devices like the Pixel 6, Pixel 7, and specific models of the Galaxy S22 and A53.
The security flaw could enable hackers to remotely compromise devices using just the phone number of the victim. Google has released a patch for this issue in its March update, but the update is not yet available for the Pixel 6, 6 Pro, and 6A devices.
This article is originally from MetaNews.
