Google Pixel Screenshots Are Vulnerable to Revealing Cropped and Edited Areas
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel’s inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.
This was reported as CVE-2023-21036; Google says a fix is rolling out to Pixel devices. That is the good news. The very bad news is that every screenshot from a Pixel 3 or newer device is vulnerable to this bug, so long as the image has not been passed through an intermediate re-encoding process.
Although I’m currently an iPhone user, I used to use a Pixel 3XL. I’m also a heavy Discord user, and in the past I’d shared plenty of cropped screenshots through the Discord app.
I wrote a script to scrape my own message history to look for vulnerable images. There were lots of them, although most didn’t leak any particularly private information.
The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!
There are some people in the replies to Aarons’ tweet claiming the same is true for cropped iPhone screenshots. In my testing, that is not exactly right: if you crop an iPhone screenshot and then share it with default sharing options, it does not transmit edit history or removed image data, as best as I can tell. When I AirDropped a cropped screenshot to myself, it sent a re-encoded JPG image instead of the HEIF original. In the iOS Share sheet, there is an “Options” button; if you want, you can toggle the switch to “include all photos data” which includes “edit history and metadata”, including image data removed via cropping. This option is off by default.
Update: It appears screenshots cropped with Windows 11’s Snipping Tool are also vulnerable.