Google recently released March 2023 security update for its Pixel smartphones. The update fixes a number of key bugs in the Pixel smartphones including the ones with its Samsung Exynos modem, Bluetooth, WiFi, GPS and camera. This update also fixes a high-severity vulnerability in Google’s Markup tool that could have been used by malicious hackers to retrieve at least part of the information in the edited screenshots.
The vulnerability dubbed as “aCropalypse,” was identified by developers Simon Aarons and David Buchanan and reported to Google in January this year before being patched in March this year. According to the developers, the vulnerability in Google’s built-in Markup tool enables a “partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.”
For understanding, if you cropped an image using your Pixel phone’s Markup tool in a way that it removed the part that has your personal information such as your address and your phone number, hackers could recreate most of the image to get access to most of this data.
What’s more worrisome is that this bug has existed for about five years before being patched, which means that it existed right around the time when the tool was rolled out on Android 9 Pie back in 2018.
This bug is a bad one.
You can patch it, but you can’t easily un-share all the vulnerable images you may have sent.
The bug existed for about 5 years before being patched, which is mind-blowing given how easy it is to spot when you look closely at an output file. https://t.co/yiR8egjLV8
— David Buchanan (@David3141593) March 18, 2023
How this vulnerability functions is really simple. When you edit an image using Google Pixel’s Markup tool, it saves the screenshot and the edited image in the same folder without overwriting or replacing the old image with the new image. “so basically the pixel 7 pro, when you crop and save a screenshot, overwrites the image with the new version, but leaves the rest of the original file in its place,” the developers wrote in a technical blog.
Now, most social media platforms, such as Twitter, re-process the uploaded images, which removes this trailing data mitigating the issue in the process, 9To5 Google noted. However, a lot of other platforms, Discord for instance, does not do the same, which leaves screenshots shared on the platform in the past from Pixel phones vulnerable to hackers. It is worth noting that Discord fixed this bug in its update that was released on January 17.
This means that even if you updated your Pixel phone with the latest security update, there is no way of telling if the screenshots that you shared in the past are safe.Get latest Tech and Auto news from Techlusive on our WhatsApp Channel, Facebook, X (Twitter), Instagram and YouTube.
Author Name | Shweta Ganjoo