• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Mobile
  • Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images

Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images

Pierluigi Paganini March 20, 2023

The Acropalypse flaw in the Markup tool of Google Pixel allowed the partial recovery of edited or redacted screenshots and images.

Security researchers Simon Aarons and David Buchanan have discovered a vulnerability, named ‘Acropalypse,’ in the Markup tool of Google Pixel. The Markup tool is a built-in Markup utility, released with Android 9 Pie that allows Google Pixel users to edit (crop, add text, draw, and highlight) screenshots.

The vulnerability allowed the partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr

— Simon Aarons (@ItsSimonTime) March 17, 2023

Aarons described how to exploit the vulnerability via Twitter. Let’s imagine a user uploading a screenshot from a bank app or website that includes an image of his payment card.

The user uses the Markup’s Pen tool to remove the payment card data number from the image before sharing it on a service, like Discord.

google pixel acropalypse flaw

The vulnerability in the Markup tool could have allowed an attacker that downloaded the image to perform a “partial recovery of the original, unedited image data of cropped and/or redacted screenshot.”

Just realised the alt text got swallowed up when I updated the diagram in the draft tweet…

Image description: A three-panel diagram.

The first panel is titled "Discord message" and depicts a Discord message sent by SimonTime to Retr0id, with an attached cropped photo of a…

— Simon Aarons (@ItsSimonTime) March 18, 2023

The exploitation of the bug can allow an attacker to remove the black lines used to hide the card number, as well as ~80% of the full screenshot, which might include other sensitive information.

“The third panel is titled “Recovered image” and depicts a fake bank website. The top 20% of the image is corrupted, but the remainder of the image – including a photo of the credit card with its number visible – is fully recovered.” Aarons explained.

The duo has also published a demo utility that allows the owners of the Pixel devices to test their own redacted images and see if they are recoverable. The experts also announced that they will publish a FAQ shortly.

“When an image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended.” states the 9to5google website.

According to a technical analysis published by David Buchanan, the root cause of the flaw was due to this horrible bit of API “design”: https://issuetracker.google.com/issues/180526528.

“Google was passing “w” to a call to parseMode(), when they should’ve been passing “wt” (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass “w”. Not only that, but previous Android releases had parseMode(“w”) truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report was made.” wrote Buchanan. “The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.”

The vulnerability, tracked as CVE-2023-21036, was reported to Google in January 2023, and the IT giant addressed it on March 13, 2023.

Despite Google has addressed the issue, the images edited with the tool and shared in the past five years are vulnerable to the Acropalypse attack.

The experts verified that there are a lot of cropped screenshots on platforms like Discord.

Buchanan wrote a script to scrape his own message history to look for vulnerable images and discovered that there were lots of them.

“The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!” Buchanan concluded.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Pixel)


facebook linkedin twitter

Acropalypse Google Pixel Hacking hacking news information security news IT Information Security Security Affairs Security News

you might also like

Pierluigi Paganini July 29, 2025
Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data
Read more
Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT