Despite a security patch this month on Google’s Pixel smartphones, there are still dangers. Indeed, the old screenshots modified on these models can be hacked. Clearly, the modifications on the screenshots can be removed if ever they are sent.
Last week, Google’s Project Zero security lab alerted to various security flaws on Android smartphones. Information released after the deployment of a security update on Pixels. However, some specialists warn that one of them has not been completely corrected.
Old Pixel Screenshots Still Editable (But Not Just By You)
As reported Engadgetit was engineers Simon Aarons and David Buchanan who alerted to the flaw “ aCropalypse which would not be fully corrected. With a PNG screenshot cropped or edited in Markup, one could undo some of the edits made. This includes cropping, but also hiding an element, with a black rectangle for example, perched on a private element (code, address, etc.).
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
—Simon Aarons (@ItsSimonTime) March 17, 2023
David Buchanan detailed the flaw from a technical point of view on his blog, but also gave a practical case of hacking (in one of his own screenshots). He tells : ” The worst case is when I posted a cropped screenshot of an eBay order confirmation email, showing the product I had just purchased. Thanks to the exploitation of the bug, I was able to crop this screenshot, revealing my complete postal address. ” Other ” practical case » unveiled by Simon Aarons: a screenshot of a credit card sent by Discord with the hidden codes can make it possible to remove the lines hiding them.
This flaw dates back to the release of Markup in 2018, which coincides with the release of Android 9 Pie. Thanks to a security patch released by Google this month, new screenshots are not affected. But this is not the case for those made before this patch. It is therefore recommended to pay attention to the screenshots you share that have been taken before. Be careful though, this may depend on the channels on which you publish these images. For example, some sites like Twitter ” process images in such a way that someone could not exploit the vulnerability to reverse-edit a screenshot or image “, writing Engadget. For the moment, Google has not commented on these revelations.
Which Pixel smartphones are affected?
The flaw was detected on these smartphones:
At the moment, the March security patch deployed by Google is only available on the Pixel 4a, 5a, 7 and 7 Pro, which means that the brand’s other smartphones using Markup can still create screenshots vulnerable. Moreover, Google did not give a timetable for the other models. As for Simon Aarons and David Buchanan, they have put the site acropalypse.app online, which allows you to test your screenshots according to your Pixel model.
Do you use Google News (News in France)? You can follow your favorite media. Follow Frandroid on Google News (and Numerama).