A security flaw named aCropalypse has reportedly been detected in Markup, the default screenshot editing facility of Google Pixel. The PNG screenshots that are edited in the Markup utility can be partially recovered due to this security flaw.
If the images become partially edited, the bug could also disclose personal information that users may have wanted to hide, such as names, credit card details, etc. This vulnerability could allow bad actors to partially uncover this hidden information and compromise the security of the user.
According to reverse engineers David Buchanan and Simon Aarons, who discovered the aCropalypse vulnerability, this flaw exists due to the fact that the original version of the screenshot is saved by Markup in the same place where the edited one is stored, without deleting it.
Some sites like Twitter reprocess the images prior to posting, which identifies the flaw and cuts it down. Others like Discord did not possess this facility before its January 17th application update. This means that the edited images or screenshots uploaded before the update are still at risk.
David Buchanan has stated that the bug was first detected around five years ago. At this time, Google had introduced Markup with a new version of the operating system, Android 9 Pie.
Simon Aarons demonstrated the issue with an example, wherein he downloaded the cropped image of a credit card posted to Discord, with the card number blocked out using Markup’s black pen tool. When the image was exposed to the aCropalypse vulnerability, the top part of the image became corrupted. However, certain pieces like the credit card number, which were edited in Markup, became visible.
After the flaw was reported to Google in January, it patched up the issue in a security update issued in March for the Pixel 4A, 5A, 7, and 7 Pro handsets. The update is yet to be introduced on other devices including Pixel 6, 6A, and 6 Pro models.