A severe vulnerability has been found with the Markup tool on Google Pixel smartphones that can let hackers un-edit the edited screenshots. While the vulnerability has been patched with the latest March 2023 security patch, it still poses risks for Pixel users. Identified by security researchers Simon Aarons and David Buchanan, dubbed the “apocalypse?” flaw, marked CVE-2023-21036, lets someone undo some of the edits made with the Markup tool on a cropped PNG screenshot.
According to the developers, this means that years-worth of redacted images sent on platforms such as Discord over the past five years could potentially be at risk of being exposed by bad actors. That’s because the vulnerability existed when Google introduced the Markup feature in Android 9 Pie last year, and it only takes a few steps to reclaim that data.
Latest News: Study Shocks The World; Over 170 Trillion Plastic Particles Found In Oceans
How it works
Whenever a user crops or edits an image using the Markup tool, Google saves both the original snapshot and the edited version in the same folder. The app then uses the modified version while the original image remains unchanged.
But this doesn’t prevent hackers from reclaiming those original edits, as the reverse engineering process can recover them. It’s all about knowing where the information is stored in a file.
As a result, the reclaimed information can include anything from personal information to passwords and even private photos.
Test your cropped pngs here.
After discovering the vulnerability, security researcher and ethical hacker David Schutz tried the exploit on his Pixel 6 device. He realized that by swapping out the SIM card, entering the correct PIN incorrectly three times, and then entering a Personal Unlocking Key (PUK) code and choosing a new PIN, he could unlock the phone without any fingerprint or PIN.
This bug could easily be abused by crooks, hackers, and jealous spouses. It’s why Schutz reported it to Google and was given a $70,000 bounty for discovering and reporting the vulnerability.
The vulnerability was fixed in the latest update for Pixel devices, but it’s important to remember that older Pixel devices may not be able to receive security updates. The company has stated that it will not release patches for devices that are out of support.
Why the patch is so important
While it’s nice that Google has finally fixed the security issue, it’s also worth noting that many people may have been sharing these redacted images over the years on platforms like Discord. As a result, keeping track of these files is challenging, and bad actors could easily reclaim them.
This bug is serious, and it’s a shame that it was only found recently and didn’t get the attention it deserved. It’s a glaring security vulnerability that will significantly impact how people share and protect their private information. That’s why it’s vital to patch this bug immediately.