aCropalypse Flaw Allows Recovery of Sensitive Data Removed From Pixel Screenshots, Researchers Say 6j1z60

Pixel smartphones were previously affected by a security flaw that could allow any to restore sensitive details cropped or redacted from screenshots, according to data shared by security researchers. A security flaw in Google's markup tool for Pixel smartphones allowed edited screenshot images to retain some of the original information, letting s recover details that were previously obfuscated by the sender. The vulnerability, which has existed for several years, has now been patched by Google on currently ed Pixel handsets.

Security researchers Simon Aarons and David Buchanan discovered a security flaw dubbed aCropalypse, that affects the markup tool used to crop, edit, and highlight screenshots on Pixel handsets. According to Android 10 introduced some changes to the system that caused data that had been edited out from screenshot to remain in the image. As a result, that data can be recovered by any who received the image, including strangers on the Internet.

In a thread on Twitter, Aarons explained how the aCropalypse vulnerability works using an image he sent to Discord Retr0id using the popular communication app. An image of a credit card that has been cropped and redacted with the "black pen" tool is shown to be ed, then subjected to a recovery process that results in an uncropped image of a fake bank website with the same credit card, along with its number visible.

According to Aarons, if the edited screenshot in PNG format has a smaller file size, as is the case with many cropped images, then “the trailing portion of the original file is left behind, after the new file is supposed to have ended”. This trailing portion of the file can then be recovered, he adds. The researcher has also published a tool that demonstrates how the aCropalypse vulnerability functions, allowing s to a screenshot to try and recover the original file.

Meanwhile, a 9to5Google report citing an early access version of an FAQ page for the vulnerability, states that not all images shared online are affected by the image. Some platforms, such as Twitter, process all ed images in such a way that it is not affected by the aCropalypse security flaw. However, on platforms like Discord that share images as-is, s who have shared screenshots using their Pixel smartphones since Android 10 could be affected by the vulnerability.

Owners of the Pixel 7 Pro, can update to the latest March security release to install a security fix for the flaw (CVE-2023-21036) which has a "high" severity classification, as per the report. However, there's no word from Google on when other ed Pixel phones will receive the fixes, or whether the company will update Pixel handsets that are no longer receiving software updates with a fix for the flaw. 

---