Most of us have the good sense these days not to post personal information online. That’s why markup tools are so helpful: You can quickly crop or censor any personal information out of a screenshot, then safely send it anywhere you like. However, if you use Markup on a Pixel phone, your edited screenshots aren’t so safe (at least, they weren’t up until now).
As reported by 9to5Google, the issue stems from a Markup bug that allows someone in the know to recover most of the original image without your knowledge. If you were to take a photo of your driver’s licence, then cover up your face and other identifying information with Markup on your Pixel, a bad actor could restore up to 80% of the screenshot, meaning most of that censored info would be visible. The same could said about a screenshot of a credit card with the number crossed out, or an image of a document with your address cropped out. This bug even has a clever name: “acropalypse.”
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023
Researchers discovered that since Markup’s inception in 2o18, the feature will save the edited image in the same location as the original file without erasing the original. Once you edit an image, it will be smaller than the original, but the remainder will be left over unbeknownst to the user. All it takes is someone who knows what they’re doing to recover the vast majority of the original screenshot, sensitive information and all.
Before you panic, there are a couple of pieces of good news here. The first is Google already has a fix: The 2023 March update for Android includes a patch for this Markup bug, so any screenshots edited with the tool going forward should be safe. If you haven’t updated your Pixel yet, you should do so ASAP.
The second piece of (mostly) good news is that many social media sites process these images in a way that happens to block bad actors from exploiting the vulnerability in the first place. If you tweeted one of these affected screenshots, for example, you have nothing to worry about.
However, if you uploaded the screenshot to a site that doesn’t process the images in this way, that’s where the trouble starts. Right now, the biggest offender is Discord. Any image edited with Markup before Jan 2023 is affected. Discord updated something on its end, so screenshots uploaded going forward should be safe.
You can never be too careful, though: If you’re curious whether one of your screenshots is affected, you can use this tool to check.
Leave a Reply
You must be logged in to post a comment.