Security flaw in Google Pixel's Markup tool can reveal sensitive information

(Representative Image)

A security flaw in Pixel's screenshot editing utility Markup may allow bad actors to restore cropped or edited images and potentially discover sensitive information.

As spotted by 9to5Google, the vulnerability was discovered by reverse engineers Simon Aarons and David Buchanan and reported to Google in early January. While the flaw has been fixed with the March 2023 update, older photos may still be at risk.

Also Read | TikTok bans: What the evidence says about security and privacy concerns

Dubbed "acropalypse," the flaw allows bad actors to partially recover the original, unedited image data of the cropped photo.

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr

Related Stories

• Google pledges $15 million, unveils new collaborations to boost India's AI research and developer co...
• Google to shut down Dark Web Report that scanned the dark web for user data
• Google takes down various AI videos of Disney characters: Here’s why

— Simon Aarons (@ItsSimonTime) March 17, 2023

For instance, if you were to send someone a screenshot of your bank card with numbers redacted, another user might be able to un-censor the image and recover your card credentials.

In the example image, the engineers were able to recover 80 percent of the original image, including the credentials. Only the top 20 percent of the image was corrupted.

Also Read | Blizzard working to fix long queue times for Diablo IV beta players

They explained that when an image is cropped using Markup, it saves the edited version of the screenshot at the same file location as the original but does not delete it. This means bad actors can recover the portions of the original image data left behind.

Most social media sites such as Twitter re-process images when they are uploaded, thereby deleting the traces of original data left in the image. However, if you have been on Discord lately, then any images shared on the platform before January 17 may still have this flaw.