A vulnerability has been discovered in Google Pixel that allows you to undo changes made using the screenshot tool.

Google fixes a critical vulnerability in its screenshot editing tool. Within five years, it was possible to undo changes made to images.

When Google began rolling out its March security update a few days ago, the Mountain View firm patched a “high”vulnerability related to Google’s Pixel Markup screenshot tool. This weekend, Simon Aarons and David Buchanan, the engineers who discovered the vulnerability in question, identified as CVE-2023-21036, shared more details and revealed that Pixel users are still at risk of seeing their old images compromised due to the nature of the vulnerability. this is an oversight on Google’s part.

Google Fixes Critical Vulnerability in Its Screenshot Editing Tool

In summary, this “aCropalypse” vulnerability allowed an attacker to take a cropped screenshot of a PNG in markup and undo several changes made to the image. It’s easy to imagine scenarios where a hacker could abuse this feature. For example, if a Pixel owner used markup to hide personal information in a screenshot, someone could use that vulnerability to reveal that information. The entire technical procedure is detailed on David Buchanan’s blog.

According to the latter, this flaw has been around for about five years, coinciding with the release of Markup along with Android 9 Pie in 2018. And therein lies the problem. While the March security patch prevents markup images from being compromised in the future, some screenshots that Pixel users may have shared in the past are still at risk.

Within five years, it was possible to undo changes made to images.

It’s hard to imagine how these users should worry about this shortcoming. According to the man page, which Simon Aarons and David Buchanan shared with 9to5Google and The Verge, according to the help page that Simon Aarons and David Buchanan shared with 9to5Google and The Verge, some sites, including Twitter, process images in such a way that no one can exploit the vulnerability to come and undo or multiple edits made to a screenshot or photo. But users of other platforms were less fortunate. Simon Aarons and David Buchanan refer to Discord as such, specifying that the service did not fix this shortcoming until its January 17th update. It is currently unknown if images hosted on other messaging and social media apps are vulnerable.

The March security update is currently available for the Pixel 4a, 5a, 7, and 7 Pro, which means markup can still generate vulnerable images on some Google Pixels. It’s hard to say if Mountain View will offer a fix for other Pixel devices. If you have a Pixel that doesn’t have the update, avoid using markup to share images that contain sensitive data.

Introducing Acrocalypse: A serious privacy vulnerability in Google Pixel’s built-in screenshot editing tool, Markup, allows partial restoration of the original, unedited image data of a cropped and/or edited screenshot. Huge thanks to @David3141593 for the help! pic.twitter.com/BXNQomnHbr

— Simon Aarons (@ItsSimonTime) March 17, 2023

CDN CTB