An ‘Acropalypse’ flaw in Google Pixel’s markup tool has partially recovered edited or redacted screenshots and images, including those that were cropped or had content obscured, over the past five last years.
The markup tool is an inbuilt image editor that allows you to redact, crop and edit images on a Google Pixel device.
The vulnerability was discovered by security researchers Simon Aarons and David Buchanan, who reported on Twitter that it was possible to recover sensitive information from images altered over the past five years using an attack they dubbed “Acropalypse”.
Aarons shared an example of how they used the Acropalypse flaw to restore a photo uploaded to Discord of a credit card that had its number redacted using the markup tool’s black marker feature. .
After running the photo through their Acropalypse exploit, they recovered the original image, as shown below.
The researchers also published an Acropalypse screenshot recovery utility online to allow Pixel owners to test their own redacted images and see if they are salvageable.
Researchers reported the flaw to Google in January 2023, and the company fixed it via a published update March 13, 2023followed by CVE-2023-21036.
The problem is believed arise from how the image file was opened for editingwhich has the effect of leaving truncated data in a saved image and recovering about 80% of the original version.
The vulnerability could expose sensitive information that the image creator redacted using Pixel’s markup tool before sharing the media with others or posting it online.
This applies to posting to platforms that do not compress user-uploaded media, so sensitive data, if any, remains intact.
A FAQ with more details about the issue will be posted soon on a dedicated websitebut they are not available at the time of writing.
Buchanan leaked some additional technical details about the issue on his blog.
you can’t do much
Although Google fixed the issue in the recent update to Pixel phones, all images shared within the last five years are vulnerable to the Acropalypse attack, and nothing can be done about it.
Because of this, the flaw could have serious privacy implications for users who uploaded screenshots with sensitive information redacted using the markup tool. It could also impact users who share self-revealing images, with parts of the image previously redacted, but now possibly recoverable.
Unfortunately, the issue affects all Pixel models running Android 9 Pie and later, when the markup tool was introduced, and up until the February 2023 security update.
It should be noted that Google released the March 2023 security update for Pixel 4a, 5a, 7, and 7 Pro a week late due to coincidence with the quarterly “Removal of pixel functionality” and also the discovery of 18 zero-day flaws on the Exynos modems used in the Pixel 6 and 7 series.
However, the Exynos flaws and Markup vulnerability are yet to be fixed as we write this for Pixel 6a, 6, and 6 Pro, as the March 2023 security update has yet to be rolled out for these models.
Finally, Acropalypse may impact non-Pixel smartphones using third-party Android distributions that use the markup tool for screen capture/image editing.
A similar problem with reversible cultures was recently discovered on Google Docsallowing people with read-only access to retrieve original versions of cropped images in shared documents.