Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Pixel Vulnerability Allows Recovery of Cropped Screenshots

A vulnerability in Google Pixel phones allows for the recovery of an original, unedited screenshot from the cropped version.

A vulnerability lurking in Google’s Pixel phones for five years allows for the recovery of an original, unedited screenshot from the cropped version of the image.

Referred to as aCropalypse and tracked as CVE-2023-21036, the issue resides in Markup, the image-editing application on Pixel devices, which fails to properly truncate edited images, making the cropped data recoverable.

Reverse engineers Simon Aarons and David Buchanan, who identified the bug, point out that the bug has existed since 2018 and that it was the result of a code change that Markup did not adhere to.

Specifically, when switching from Android 9 to Android 10, the parseMode() function was modified to overwrite a file with a truncated one if the argument ‘wt’ was passed to it. Previously, the argument ‘w’ was needed for the same operation.

Because Markup’s behavior was not changed and it continued to use the argument ‘w’, while it did crop the image, it did not tell the OS to overwrite the original with the smaller version, resulting in the truncated data being left at the end of the file instead.

“The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind,” Buchanan explains.

The researcher also points out that the change from ‘w’ to ‘wt’ was only documented in 2021, when a bug report was submitted.

Google addressed the vulnerability with the March 2023 security update for Pixel devices, which patches more than 120 bugs, aside from the issues resolved with the March 2023 Android update.

Advertisement. Scroll to continue reading.

Aarons and Buchanan released proof-of-concept (PoC) code targeting the vulnerability and explain that, even if the flaw is patched, it still represents a potential privacy issue: any screenshots cropped before the patch can be at least partially restored to the original.

“You can patch it, but you can’t easily un-share all the vulnerable images you may have sent. The bug existed for about 5 years before being patched, which is mind-blowing given how easy it is to spot when you look closely at an output file,” Buchanan points out.

Related: Google Describes Privacy, Security Improvements in Android 14

Related: Android’s February 2023 Updates Patch 40 Vulnerabilities

Related: Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.