The part of the screenshot that is edited is the one that is exploited by the search engine
The Google Pixel Cybercripalypse Update: Recovering Private and Sensitive Images Without Removing Edited Data
At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. The vulnerability is significant due to the fact that users have been making and sharing images for years, and many of those still contain private or sensitive data. But it gets worse.
Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. There are a lot of photos out there that have information that the person attempting to remove may not have known about.
In a forthcoming FAQ page obtained by 9to5Google, the authors explain that there is a flaw in the system because it keeps the original version in the same location as the edited one. After a new file is supposed to have end, the trailing portion of the original file is left behind.
The FAQ page states that while certain sites, including Twitter, re-process the images posted on the platforms and strip them of the flaw, others, such as Discord, don’t. The patched exploit means that some edited images may have been at risk before the January 17th update. It’s still not clear whether there are any other affected sites or apps and if so, which ones they are.
This flaw came to light just days after Google’s security team found that the Samsung Exynos modems included in the Pixel 6, Pixel 7, and select Galaxy S22 and A53 models could allow hackers to “remotely compromise” devices using just a victim’s phone number. Google has since patched the issue in its March update, although this still isn’t available for the Pixel 6, 6 Pro, and 6A devices yet.
It was mind-blowing to see, it was as if lightning had just struck twice. The original vulnerability was so unexpected that it had yet to be discovered. It was quite mind blowing.
Now that the vulnerabilities are out in the open, researchers are uncovering old discussions on programming forums where developers noticed the odd behavior of the crop tools. He might have been the first to see the potential privacy implications, and he brought it to their attention.
“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.
Even if Microsoft issues fixes, there isn’t much that can be done to mitigate the problem of image files being removed in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.
