The March security update that rolled out earlier this month included some fixes for major vulnerabilities on Google’s Pixel smartphone line.
There was a patch for an exploit with Samsung-made modems that could allow attackers to access data like phone calls or text messages using only the victim’s phone number. However, that wasn’t the only major vulnerability. The March update also includes a fix for a high-severity flaw with the Pixel Markup tool for editing screenshots. In short, the flaw leaves data in the image file that could allow malicious actors to partially restore images that were cropped or edited.
Dubbed ‘aCropalypse,’ details emerged over the weekend courtesy of Simon Aarons and David Buchanan, reverse engineers who uncovered the flaw. Aarons posted an image showing how aCropalypse can be used to recover an image on Twitter — the image shows a cropped, redacted photo of a credit card shared in a chat, and then the recovered image that includes the unredacted credit card number. Meanwhile, Buchanan posted a blog post with a technical breakdown of the exploit — if you’re curious how, exactly, aCropalype works, it’s worth a read.
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
The flaw has existed for about five years. Markup was released in 2018 as part of Android 9 Pie, so it seems like aCropalypse has been around basically since the beginning. Although the March security patch fixes the problem for future images, edited screenshots taken prior to the patch are still vulnerable.
However, it’s hard to say just how worried Pixel owners should be. Aarons and Buchanan have a FAQ page coming — though at the time of writing, it wasn’t live — that should help explain some of the details. One important piece of information the duo shared with The Verge and 9to5Google is that some websites, like Twitter, process images in such a way that they aren’t vulnerable to aCropalypse. Not everything is like this, though — the pair pointed out Discord as an example, which didn’t patch out the vulnerability until January 17th.
With that in mind, it’s probably best to assume any screenshot you’ve taken and edited on a Pixel phone in the last five or so years could be reverse-engineered to recover the edited parts of the image.
Moreover, the March patch only rolled out to the Pixel 4a, 5a, 7 and 7 Pro, with the update delayed for the Pixel 6 series (though it’s supposed to roll out on March 20th).
You can learn more about the aCropalypse exploit here or try a demo of it here.