Google Pixel Users Beware: Cropped Screenshots May Not Be Private

Google Pixel lineup

Google Pixel owners and other Android owners should take note of an exploit that affected images modified with the markup tool, according to security researchers detailing the vulnerability, reports Android Police.

Researchers Simon Aarons and David Buchanan have disclosed an exploit they have dubbed “aCropalypse,” which enables anyone to take a PNG screenshot cropped in Android’s default markup tool and partially undo the edits, revealing parts of the image that were meant to be hidden. Yikes.

Although Google patched the exploit in the March security update for Pixels (CVE-2023-21036), redacted images sent on specific platforms like Discord before mid-January could be at risk. If you’re a heavy Discord user that shared modified screenshots before this was patched, you may want to check the images you’ve uploaded.

You can test the exploit on your images using a demonstration tool provided by the aCropalypse researchers. The vulnerability appears to stem from a change to an API in Android 10, which altered how apps write new data to existing files.

The issue was eventually deemed “fixed,” but the markup tool continued to use the untruncated write mode. Aarons and Buchanan informed Google of the bug on January 2, and a fix was internally finalized on January 24. However, it did not begin rolling out to Pixel devices until March 13 with the month’s security patch.

Simply put, the aCropalypse exploit takes advantage of the way PNG files compress data in blocks, with compressed data potentially containing references to previous blocks. Buchanan developed a decompression method that combines this look-back aspect with cryptographic detective work to uncover portions of the original, unedited image.

According to Buchanan’s technical description of the exploit on his blog, he explains how they were able to create an algorithm to recover the original, uncropped data by identifying the start of a dynamic Huffman-coded zlib block. The algorithm would then try to decompress the data, and if the result looked plausible, the original image data could be recovered.

He went on into a more technical explanation, saying the issue stems from a mistake in Google’s proprietary code, where a call to parseMode() should have included a truncation flag but didn’t, resulting in the original image not being truncated when the cropped version was saved.

The exploit affects not only Google Pixel smartphones, but also certain non-Pixel Android devices and custom ROMs using the markup tool. While most online platforms process user-uploaded images, Discord did not adequately do so to prevent this exploit until January 17. As a result, markup-edited images dating back to late 2019 could be uncompressed to reveal unintended information.

Users can utilize Discord’s search tools to find potentially vulnerable image files, though not every screenshot may be exploitable. Buchanan wrote a script to scrape his Discord uploads for vulnerable images and found numerous instances. In one case, he was able to extract his full postal address from a cropped eBay order screenshot, which as one can imagine would be a shocking discovery.

What can Pixel and Android device owners do right now? Install the latest March security update and think back to where you shared cropped or edited screenshots in the past.