• btc = $66 930.00 -2 457.50 (-3.54 %)

  • eth = $3 688.80 -70.76 (-1.88 %)

  • ton = $6.14 -0.28 (-4.32 %)

  • btc = $66 930.00 -2 457.50 (-3.54 %)

  • eth = $3 688.80 -70.76 (-1.88 %)

  • ton = $6.14 -0.28 (-4.32 %)

20 Mar, 2023
2 min time to read

Although the Markup vulnerability has been fixed by Google, any edited screenshots that were shared online before the update will remain unaffected.

The security vulnerability affecting the default screenshot editing tool on Google Pixel devices, Markup, allowed partially "unedited" images to be recovered. This flaw could reveal personal information that users had chosen to hide, including names, addresses, credit card numbers, and other sensitive data.

Reverse engineers Simon Aaarons and David Buchanan discovered the vulnerability, which has since been patched by Google. However, any edited screenshots shared before the update may still be vulnerable. The flaw, known as "aCropalypse," occurs because Markup saves the original screenshot in the same location as the edited one and never deletes the original version. As a result, if the edited version of the screenshot is smaller than the original, the "trailing portion" of the original file is left behind, which can be exploited to recover the "unedited" information.

The severity of the issue was classified as "high," and Google patched it in its March update for Pixel 4A, 5A, 7, and 7 Pro. However, it's still unclear when the update will be available for other devices affected by the vulnerability.

The vulnerability has widespread implications, as edited screenshots shared on social media platforms may still be at risk. Certain platforms, such as Twitter, re-process the images posted on their platforms, which strips them of the flaw. However, others, such as Discord, only recently patched the exploit in a January 17th update. This means that edited images shared on Discord before that date may still be vulnerable to the exploit.

Aarons and Buchanan have posted a detailed FAQ page explaining the vulnerability and how it can be exploited. They have also created a demo page where users can upload a screenshot edited with a non-updated version of the Markup tool to test the vulnerability. Additionally, Buchanan has written a blog post detailing the technical aspects of the flaw.

The discovery of this flaw comes just days after Google's security team found that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and select Galaxy S22 and A53 models could allow hackers to remotely compromise devices using just a victim's phone number. Google has since patched the issue in its March update, but it's not yet available for all affected devices.