Google Pixel Faces a Security Flaw, exploiting its Default Screenshot Editing Utility
Syed Imran Haider 
Google Pixel has reportedly found a flaw affecting Markup – the default screenshot editing utility. It lets images become partially unedited, revealing the personal data most users do not want to show.
Since Simon Aarons and David Buchanan – reverse engineers discovered the vulnerability, Google is continuously making efforts to patch it. However, the security flaw still has extensive implications for the edited PNG images shared before the update.
Aarons took to Twitter to post the details in a thread, saying aCropalypse is the aptly-named security vulnerability that lets anyone partially recover PNG screenshots edited in Google Pixel’s editing utility. It includes scenarios where a user has used the tool to scribble out or crop information like name, phone number, address, or credit card details.
Screenshots containing any personal information are also part of vulnerable scenarios. The security flaw could enable a bad actor to exploit it to reverse any of the changes made to the images and access the data users chose to hide.
The Security Vulnerability
The reverse engineers at Google used an upcoming FAQ page found by 9to5Google to explain the security flaw. Buchanan and Aarons describe the vulnerability saying the security flaw exists since Markup helps save the original PNG images in a similar file location as the edited version without deleting the original one.
If the edited screenshot is smaller than the original version, it leaves the trailing part of the original file behind after the new one gets ended. Buchanan said the security flaw first appeared five years ago. It is almost the same time Google rolled out its screenshot editing utility named Markup with the updated version of Android 9 Pie. It makes the scenario even worse as it could make the Markup edited version of the older screenshots shared on social media vulnerable to the exploit.
According to the FAQ pages, sites like Twitter reprocess the photos posted on the platforms and shred them of security, whereas other websites, including Discord, do not. They also reveal Discord only patched the exploit in its January update, disclosing that edited screenshots before that may be prone to vulnerability. It is still vague whether or not the security flaw has affected other apps or sites and if so, which ones.
Aarons also posted a few examples of the same. One of which displays a cropped snapshot of a credit card shared to the Discord social media app. It also comprises the card number someone has blocked with the black pen available in the Markup tool. When the reserve engineer downloads the PNG image and exploits the bug, it causes the image’s top part becomes corrupted. However, Aaron can still view the Markup-edited pieces, including credit card details.
Google received the report about the CVE-2023-21036 flaw from Buchanan and Aarons in January this year. The tech giant patched the problem in a March security update for Google 4A, 7 & 7Pro using its severely high classified. Google keeps it vague when it will release the update for other devices affected by the bug.
