Hacking

Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images

The Acropalypse flaw in the Markup tool of Google Pixel allowed the partial recovery of edited or redacted screenshots and images.

Security researchers Simon Aarons and David Buchanan have discovered a vulnerability, named ‘Acropalypse,’ in the Markup tool of Google Pixel. The Markup tool is a built-in Markup utility, released with Android 9 Pie that allows Google Pixel users to edit (crop, add text, draw, and highlight) screenshots.

The vulnerability allowed the partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.

Aarons described how to exploit the vulnerability via Twitter. Let’s imagine a user uploading a screenshot from a bank app or website that includes an image of his payment card.

The user uses the Markup’s Pen tool to remove the payment card data number from the image before sharing it on a service, like Discord.

The vulnerability in the Markup tool could have allowed an attacker that downloaded the image to perform a “partial recovery of the original, unedited image data of cropped and/or redacted screenshot.”

The exploitation of the bug can allow an attacker to remove the black lines used to hide the card number, as well as ~80% of the full screenshot, which might include other sensitive information.

“The third panel is titled “Recovered image” and depicts a fake bank website. The top 20% of the image is corrupted, but the remainder of the image – including a photo of the credit card with its number visible – is fully recovered.” Aarons explained.

The duo has also published a demo utility that allows the owners of the Pixel devices to test their own redacted images and see if they are recoverable. The experts also announced that they will publish a FAQ shortly.

When an image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended.states the 9to5google website.

According to a technical analysis published by David Buchanan, the root cause of the flaw was due to this horrible bit of API “design”: https://issuetracker.google.com/issues/180526528.

“Google was passing “w” to a call to parseMode(), when they should’ve been passing “wt” (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass “w”. Not only that, but previous Android releases had parseMode(“w”) truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report was made.” wrote Buchanan. “The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.”

The vulnerability, tracked as CVE-2023-21036, was reported to Google in January 2023, and the IT giant addressed it on March 13, 2023.

Despite Google has addressed the issue, the images edited with the tool and shared in the past five years are vulnerable to the Acropalypse attack.

The experts verified that there are a lot of cropped screenshots on platforms like Discord.

Buchanan wrote a script to scrape his own message history to look for vulnerable images and discovered that there were lots of them.

“The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!” Buchanan concluded.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Pixel)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.