Google Pixel: Exploit allows restoring subsequently modified images
A vulnerability in the image processing of Google’s Pixel smartphones allows screenshots that have been changed later to be largely restored. As a result, sensitive data such as addresses or payment information that has been cut out or painted over from the images could be reproduced. The vulnerability has since been fixed by Google, but previously distributed images still contain the original information.
According to the discoverers of the vulnerability, this was already introduced with Android 9 (Pie) 2018. Since then, Google has overwritten screenshots that were subsequently changed on Pixel smartphones with the original file, but it keeps it if the new version is smaller than the original. This is the case, for example, when a credit card number or other personal information is cut off. Android’s screenshot image processing (markup) only overwrites the beginning of the original file, the rest remains. Malicious fellows could use the exploit known as “Acropalypse” to restore the data that was cut off or intentionally made unrecognizable.
The vulnerability (CVE-2023-21036) discovered by Simon Aarons and David Buchanan was reported to Google in early January. With the March update for Android, this vulnerability has been closed, so that the original file of screenshots can no longer be restored. Previously created screenshots still contain the original data. If they have been shared on Discord, for example, they are vulnerable to the exploit.
Not problematic on Twitter, but Discord
Other social networks like Twitter process uploaded images themselves, removing the attached, truncated data. Discord only introduced this feature in mid-January this year, so screenshots previously uploaded there will still contain the overwritten original data. It is still unclear whether the fix for the vulnerability was coordinated with Google or whether it was a timing coincidence.
With the March update, Google has already fixed some critical vulnerabilities in Android. This includes the zero-day vulnerability with Samsung’s Exynos modem chips. Google itself does not describe the markup exploit as critical in the Android security bulletin, but as a high degree of severity. The March update is currently being distributed for Pixel smartphones, but the user should check the system settings to see whether it needs to be installed manually.
Users can use the website of the discoverers of the vulnerability to check whether their modified screenshots still contain the original information. There you first select the affected pixel model and then upload the screenshot. The image recovered from the exploit is then shown, showing whether sensitive data can be reproduced.