Two security researchers warned of a serious vulnerability found in Google’s Pixel phones that allows the detection of parts that users have hidden from screenshots edited using the Markup screenshot editing tool that is present by default in Pixel phones.
Security researchers Simon Aarons and David Buchanan highlighted the vulnerability, which they called aCropalypse, in a tweet on Twitter, saying that the vulnerability allows the recovery of parts that users have hidden from screenshots by camouflaging them, which exposes sensitive personal information of the user such as his name, address, credit card number or any other Other information is hidden until disclosure.
According to the researchers, the vulnerability was found five years ago, which is when Google released Markup when it released Android 9 update in 2018.
Although Google issued a security update to fix the vulnerability recently, the risk lies in the possibility of reversing modifications to modified images before this update.
The researchers said that the reason for the vulnerability is that the Markup application saves the original snapshot information within the image file itself, without deleting the image information that the user has hidden. This means that the hidden information can be retrieved by applying some reverse engineering algorithms to the image file.
This means that images edited using the aforementioned tool, which have been posted on social networks for years, are still vulnerable to exploitation. The researchers pointed out that some social networks, such as Twitter, compress the images uploaded to the platform in a way that strips these images of their original information, which makes it impossible to retrieve sensitive information from them. However, other services do not make any modifications to the images uploaded to them, which makes them vulnerable to exploitation. For example, the researchers cited the Discord chat application, which issued an update to fix the vulnerability on January 17, but the modified images that users shared on the platform before that date may be at risk.