Back in 2018, Pixel phones gained a built-in screenshot editor called “Markup” with the release of Android 9.0 Pie. The tool pops up whenever you take a screenshot, and tapping the app’s pen icon gives you access to tools like crop and a few colored drawing pens. That’s very handy assuming Google’s Markup tool actually does what it says, but a new vulnerability points out the edits made by this tool weren’t actually destructive! It’s possible to uncrop or unredact Pixel screenshots taken during the past four years.
The bug was discovered by Simon Aarons and is dubbed “Acropalypse,” or more formally CVE-2023-21036. There’s a proof-of-concept app that can unredact Pixel screenshots at acropalypse.app, and it works! There’s also a good technical write-up here by Aarons’ collaborator, David Buchanan. The basic gist of the problem is that Google’s screenshot editor overwrites the original screenshot file with your new edited screenshot, but it does not truncate or recompress that file in any way. If your edited screenshot has a smaller file size than the original—that’s very easy to do with the crop tool—you end up with a PNG with a bunch of hidden junk data at the end of it. That junk data is made up of the end bits of your original screenshot, and it’s actually possible to recover that data.
That sounds like a bad way to write a screenshot cropping tool, but in Google’s defense, the Android 9 release of the Markup tool worked correctly and truncated the overwritten file. Android 10 brought a lot of dramatic “Scoped Storage” changes to how file storage worked in Android, though. It’s unclear how or why this happened, but perhaps as part of that huge wave of file-handling commits, one undocumented change made it into the Android Framework file parser: the Framework’s “write” mode stopped truncating overwritten files, and the bug in Markup was created. The Markup tool relied on the OS’s file handling, and the way it worked changed in a later release, which it looks like nobody noticed.
The proof-of-concept tool at acropalypse.app works great. If you happen to have an unpatched Pixel device lying around, you can crop a screenshot, feed it into the tool, and you’ll get uncropped data back. It’s not perfect—you’ll usually get a heavily corrupted PNG back with a large blank section, then a strip of funky colors, but you can pretty reliably recover the bottom part of a cropped image. The bug was fixed in the March 2023 security update for Pixel devices, where it was marked as a “High” security vulnerability. This only affected the Pixel screenshot editor, which saves PNGs by overwriting them, not the Google Photos editor, which saves JPGs by making a new copy. So typically, cropped screenshots are vulnerable, not cropped camera photos—unless you were doing something weird like taking a screenshot of your camera output.
Just patching the bug for future users doesn’t solve the problem, though. There’s still the matter of the last four years of Pixel screenshots that are out there and possibly full of hidden data that people didn’t realize they were sharing. If you’ve shared that screenshot publicly, whether or not that screenshot is leaking data depends on who’s hosting it. Some apps, like Twitter, will recompress any uploaded files, and that will delete the hidden data in your screenshot. If an app shares the original file instead, a third party could uncrop your screenshot. Notably, Discord is confirmed to do this, and plenty of other messaging apps probably share the original file, too.