Hey everyone, it’s Nuked here! Today I want to talk about a recent security vulnerability that affects the Google Pixel’s default screenshot editing utility, Markup.
It turns out that a flaw discovered by reverse engineers Simon Aaarons and David Buchanan, nicknamed “aCropalypse”, allows someone to partially recover PNG screenshots edited in Markup. This means that any personal information users may have cropped or scribbled out using Markup could potentially be revealed.
The reason behind this is because Markup saves the original screenshot in the same file location as the edited one, and never deletes the original version. If the edited version is smaller than the original, then it leaves behind a bit of the original file.
This bug first emerged around five years ago when Google introduced Markup with the Android 9 Pie update. This means that edited screenshots shared over the last five years could now be vulnerable to this exploit. Certain sites like Twitter re-process images posted on their platform and strip out this flaw, but others like Discord didn’t until recently.
Google has since patched the issue in a March security update for certain Pixel models, although it’s still unclear when this update will arrive for other affected devices. If you’d like to see how this works for yourself, you can upload a screenshot edited with a non-updated version of Markup to this demo page created by Aarons and Buchanan.
This news comes just days after Google’s security team found that modems included in certain Pixel and Samsung models could allow hackers to remotely compromise devices using just a victim’s phone number. Google has since patched this issue too.
Hopefully this information helps make you more aware of potential security flaws and reminds you to keep your data safe!