Skip to content

Patched Pixel bug allowed partial recovery of edited screenshots

  • by
  • 3 min read

Google’s internal markup tool on Pixel devices has a security flaw that allows someone to partially recovered cropped or redacted screenshots in Markup. The vulnerability, dubbed ‘acropalypse’, was first discovered by reverse engineers Simon Aarons and David Buchanan. While Google has already addressed the issue in its March 2023 security update, screenshots shared prior to the update still suffer from the issue. 

The vulnerability is tracked as CVE-2023-21036 and was reported to Google in early January by Aarons, for which Buchanan developed the initial proof of concept exploit. While the actual issue lies in closed-source Google code, Buchanan’s blog details the issue as a “horrible bit of API design”. 

The main reason was that Google’s API for Markup wasn’t truncating unnecessary information from redacted or cropped screenshots. The company was passing ‘w’ to a call to parseMode(), which they should be passing ‘wt’ where the indicates truncation. This results in an image that’s opened without the O_TRUNC flag, meaning whenever the cropped image is written, the original isn’t truncated. 

In layman’s terms, when a file is edited with Markup, it saves the edited version in the same file location as the original. However, instead or erasing the original file, it just overwrites it with the edited one. This means that the edited file is saved with more information than required. 

While Google could intentionally be doing this to provide users to go back and remove any edits they may have made to their screenshots, the implementation meant that a third-party or external user could just take the image and rebuild the original, non-truncated parts to recover anything that was removed. 

Services that allow photo-sharing are also partially to be blamed for this. Any service that doesn’t automatically process images being uploaded to remove unnecessary data can propagate the vulnerability. Luckily, at the time of writing only Discord was found to do this, with the platform fixing this issue on January 17. However, any screenshots shared before that are still vulnerable. 

There’s an online tool where you can upload screenshots to check if they’re affected by the issue. Additionally, an FAQ for the entire vulnerability is also on the way. As mentioned before, Google has fixed the issue in its March security update available for the Pixel 4a all the way up to the latest Pixel 7 Pro in addition to fixes for the recent zero-day vulnerabilities found in Exynos chips affected Pixel devices.

In the News: FBI arrests alleged admin of BreachForums


Yadullah Abidi

Someone who writes/edits/shoots/hosts all things tech and when he's not, streams himself racing virtual cars. You can contact him here: [email protected]