In addition to the Samsung Exynos modem issue, Android 13 QPR2 with the March 2023 security update fixes a vulnerability in Pixel’s markup screenshot tool.
Simon Aarons, aka “aCropalypse”, identified and reported this vulnerability (CVE-2023-21036) to Google in early January, using the first proof-of-concept exploit developed by David Buchanan:
Screenshots cropped using the built-in “Markup” app on Google Pixel devices cannot be retroactively cropped and unredacted in many circumstances.
aCropalypse FAQ (coming soon)
Edit screenshots (crop, add text, draw and highlight) with the built-in markup utility released in 2018 with Android 9 Pie and found on Pixel phones.
The problem
For example, suppose you upload a screenshot (as shared on Twitter) from a hypothetical banking app/website that includes an image of your credit/debit card. You’ll cut out everything but the map, then use Markup’s pen tool to black out the 16-digit number. They then share this message on a service like Discord.
Given a vulnerability in how markup works, someone downloading the image can “retrieve a partial restoration of the original, unedited image data from [the] cropped and/or redacted screenshot.” In the above case, a malicious party can remove the black lines and see the credit card number and about 80% of the full screenshot, which may contain other sensitive information.
“The top 20% of the image is damaged, but the rest of the image – including a photo of the credit card with the number visible – is fully restored.”
This can be a problem if you’ve shared screenshots with addresses, phone numbers, and other private information.
1: Original screenshot | 2: In the markup | 3: Cropped and Drawn to Image | 4: Using the demo tool
Which screenshots are affected?
The privacy implications of this bug come from people sharing cropped images [that] unknowingly included additional data. Fortunately, most social media services reprocess uploaded images, removing the trailing data and reducing vulnerability. For example, Twitter is safe from the acropalypse. The following is a partial list of known vulnerable services and apps commonly used to share images: (i.e. services that do not remove trailing image data)
Discord (starting January 17th, newly uploaded images will be stripped of trailing data – however, all screenshots sent before this date are still vulnerable) (It is unknown if Google coordinated this change with Discord or if it was accidental)
aCropalypse FAQ (coming soon)
Screenshots are currently affected that were uploaded to Discord before mid-January 2023, when the service was changed.
There is a demo tool that you can use to upload a screenshot and see if a previously shared image is affected.
Technical explanation
When an image is cropped using markup, the edited version is saved in the same location as the original. However, the original file is not deleted before the new one is written. If the new file is smaller, the trailing portion of the original file will remain after the new file should finish.
aCropalypse FAQ (coming soon)
The technical description with root cause analysis is available and an FAQ is in preparation.
The issue in markup was fixed with the March 2023 security patch, listing CVE-2023-21036 with a severity of High. This Pixel update is currently available for Pixel 4a-5a, 7 and 7 Pro.
Update…
Thank you
FTC: We use income earning auto affiliate links. More.
Visit 9to5Google on YouTube for more news:
