Hadlee Simons / Android Authority
TL;DR
- A security flaw in Pixel’s Markup utility allows hackers to un-redact and uncrop edited screenshots.
- Google has fixed the issue with the March 2023 security update, but Pixel screenshots shared before that remain vulnerable.
A serious vulnerability found in the Markup tool on Pixel phones can let hackers un-redact and uncrop edited screenshots. Identified by security researcher Simon Aarons, the flaw is dubbed “Acropalypse” and has been assigned a CVE ID (Common Vulnerabilities and Exposures).
Suppose you shared a screenshot of your bank statement with someone and used Pixel’s Markup tool to hide sensitive information such as your bank account number or balance, the vulnerability allows anyone to un-redact that confidential information, provided you sent them an original screenshot file.
Most messaging and social media apps compress and re-process shared images, in which case, the hack is not possible. For instance, Twitter is free from Acropalypse. However, Discord only started stripping screenshots of these details in January. Any marked-up Pixel screenshots shared on the platform before that are vulnerable to the hack.
Google released the Markup tool on Pixel phones with Android 9 in 2018. It lets you crop, add text, draw, and highlight screenshots. However, the vulnerability can help bad actors remove this editing and get access to the screenshot in its original state.
While Google fixed the issue with the March 2023 security update, screenshots you shared before updating your Pixels with the latest software can still be exploited, and your hidden information can be partially recovered. Aarons has devised a technical demo of the flaw, using which you can find out if your edited screenshots can be un-redacted.
