Security researchers Simon Aarons and David Buchanan have identified a flaw in Google’s Markup tool that allowed them to recover sensitive information from edited images over the past five years.
The researchers called the exploit “Acropalypse,” which made it possible to recover edited or redacted screenshots and images, including those that have been cropped or had their contents masked, and could potentially expose sensitive information that had been redacted using Pixel’s Markup tool before being shared with others or posted online.
Aarons shared an example of how the exploit worked, demonstrating how it restored an image of a credit card whose number was redacted using the black marker feature of the Markup tool.
The vulnerability is believed to stem from how the image file was opened for editing, causing truncated data to be left behind in a saved image and allowing approximately 80% of the original version to be recoverable.
Google was informed of the flaw in January 2023 and released an update on March 13, 2023, to fix it, tracking it as CVE-2023-21036. Unfortunately, any images shared over the past five years are vulnerable to the Acropalypse attack, and nothing can be done to remediate this.
The issue impacts all Pixel models running Android 9 Pie and later, which is when the Markup tool was introduced, until the February 2023 security update.
Despite Google fixing the problem in the recent update for the Pixel phones, it could have severe privacy implications for users who uploaded screenshots with sensitive information redacted using the Markup tool.
Additionally, the vulnerability could affect users who share revealing pictures of themselves, with certain portions of the image previously being redacted but now possibly recoverable.
Furthermore, non-Pixel smartphones using third-party Android distributions that use the Markup tool for screenshot/image editing could also be affected by Acropalypse.
Google released the March 2023 security update for Pixel 4a, 5a, 7, and 7 Pro, albeit with a week of delay due to the coinciding quarterly “Pixel feature drop” and the discovery of 18 zero-day flaws on Exynos modems used in the Pixel 6 and 7 series.
However, both the Exynos flaws and the Markup vulnerability still need to be fixed for Pixel 6a, 6, and 6 Pro, as the March 2023 security update still needs to roll out for these models.
Buchanan disclosed additional technical details about the problem on his blog, and a FAQ with more details on the problem will be published soon on a dedicated website.
