An ‘Acropalypse’ flaw in Google Pixel ‘s Markup tool made it possible to partially recover edited or redacted screenshots and images, including those that have been cropped or had their contents masked, for the past five years.
The Markup tool is a built-in image editor that allows you to redact, crop, and change images on an Google Pixel device.
The vulnerability was discovered by security researchers Simon Aarons and David Buchanan, who reported on Twitter that it has been possible to recover sensitive information from edited images for the past five years using an attack they have dubbed “Acropalypse.”
Aarons shared an example of how they used the Acropalypse flaw to restore a photo uploaded to Discord of a credit card whose number was redacted using the black marker feature of the Markup tool.
After running the photo through their Acropalypse exploit, they recovered the original image.
The researchers also published an Acropalypse screenshot recovery utility online to allow Pixel owners to test their own redacted images and see if they are recoverable.
The researchers reported the flaw to Google in January 2023, and the company fixed it via an update released on March 13, 2023, tracking it as CVE-2023-21036.
The problem is believed to stem from how the image file was opened for editing, causing truncated data to be left behind in a saved image and allowing roughly 80% of the original version to be recoverable.
The vulnerability could expose sensitive information that the image creator redacted using Pixel’s Markup tool before sharing the media with others or posting it online.
This applies to posting on platforms that do not compress user-uploaded media, so the sensitive data, if it exists, remains intact.
A FAQ with more details on the problem will be published soon on a dedicated website, but they’re unavailable at the time of writing.
Buchanan disclosed some additional technical details about the problem on his blog.
Not much you can do
Despite Google fixing the problem in the recent update for the Pixel phones, any images shared in the past five years are vulnerable to the Acropalypse attack, and nothing can be done to remediate this.
Due to this, the flaw could have severe privacy implications for users who uploaded screenshots with sensitive information redacted using the Markup tool. It could also have impact for users who share revealing pictures of themselves, with certain portions of the image previously being redacted, but now possibly recoverable.
Unfortunately, the issue impacts all Pixel models running Android 9 Pie and later, which is when the Markup tool was introduced, and until the February 2023 security update.
It should be noted that Google has released the March 2023 security update for Pixel 4a, 5a, 7, and 7 Pro with a week of delay due to coinciding with the quarterly “Pixel feature drop” and also the discovery of 18 zero-day flaws on Exynos modems used in the Pixel 6 and 7 series.
However, both the Exynos flaws and the Markup vulnerability still need to be fixed when writing this for Pixel 6a, 6, and 6 Pro, as the March 2023 security update still needs to roll out for these models.
Finally, Acropalypse could impact non-Pixel smartphones using third-party Android distributions that use the Markup tool for screenshot/image editing.
A similar issue with reversible cropping was recently discovered on Google Docs, enabling people with view-only access to recover original versions of cropped images in shared documents.