Two security researchers have warned of a serious vulnerability found in Google Pixel phones that allows the detection of parts that users have hidden in screenshots edited with the Markup screenshot editing tool, which is present by default on Pixel phones.
Security researchers (Simon Aarons) and (David Buchanan) highlighted the vulnerability, which they called aCropalypse, in a Twitter tweet in which they said that the vulnerability allows parts that users have hidden from screenshots to be recovered by disguising them, which exposes the user’s sensitive personal information , such as his name, address and phone number, his credit card, or any other hidden information to disclose.
According to the researchers, the vulnerability was discovered five years ago when Google released Markup with the release of the Android 9 update in 2018.
While Google recently released a security update to address the vulnerability, the risk is that modified images may be reverted prior to this update.
The researchers said that the reason for the vulnerability is that the Markup application preserves the original image information in the image file itself, without removing image information that the user has hidden. This means that hidden information can be extracted by applying some reverse engineering algorithms to the image file.
This means that images edited with the aforementioned tool that have been posted on social media for years are still vulnerable to exploitation. The researchers pointed out that some social networks, such as Twitter, compress images uploaded to the platform in such a way that these images are stripped of their original information, making it impossible to extract sensitive information from them. However, other services do not make any modifications to the images uploaded to them, which makes them vulnerable to exploitation. For example, the researchers referred to the Discord chat application, which released an update to fix the vulnerability on January 17, but modified images that users shared on the platform before that date, may be at risk.
