Google Pixel exploit flips screenshot edits

A security flaw affecting markup, Google Pixel’s default screenshot editing utility, causes images to become partially ‘unedited’, revealing personal information that users have chosen to hide. There is a possibility. previously discovered 9to5Google and android police. The vulnerability is Discovered by Reverse Engineer Simon Aaarons and David Buchanan have since been patched by Google, but the redacted screenshots shared before the update still have widespread impact.

as detailed in Thread posted by Aaarons on Twitter, the aptly named “aCropalypse” flaw would allow someone to partially restore a markup-edited PNG screenshot. This includes scenarios where someone may have used this tool to crop or scribble names, addresses, credit card numbers, or other types of personal information that may be included in screenshots. increase. A malicious person could exploit this vulnerability to undo some of these changes and obtain information that the user thought was hidden.

from now on FAQ page acquired early by 9to5GoogleAarons and Buchanan explain that the flaw exists because markup saves the original screenshot to the same file location as the edited one, never deleting the original version. If the resulting version is smaller than the original, “the end of the original file is left behind after the new file should have ended”.

according to to Buchanan, the bug first appeared about 5 years ago, around the same time Google introduced markup with the Android 9 Pie update. Years old screenshots edited with markup and shared on social media platforms can be vulnerable to exploits.

The FAQ page states that certain sites, including Twitter, reprocess images posted on their platform to remove imperfections, while others, such as Discord, do not. I just patched the exploit in the update of the day. This means that edited images shared to the platform prior to that date may be at risk. It is not yet clear if there are any other sites or apps affected, and if so which ones.

The example posted by Aarons (embedded above) shows a cropped image of a credit card posted on Discord. Again, the card number has been blocked using the black pen of the markup tool. When Aarons downloads the image and exploits the aCropalypse vulnerability, the top of the image is corrupted, but the markup-edited parts (such as credit card numbers) are still visible.You can read more about the technical details of the defect Buchanan’s blog post.

After Aarons and Buchanan reported the flaw (CVE-2023-21036) to Google in January, the company patched the issue in March. Security update For Pixel 4A, 5A, 7, and 7 Pro, the severity is classified as High. It is unclear when this update will be delivered to other affected devices, and Google did not immediately respond. The Bargerequest for more information. If you want to see how the problem works for yourself, you can upload a screenshot edited with a non-updated version of the markup tools. Go to this demo page Created by Aarons and Buchanan.Or you can checkout some scared example Posted on the web.

The flaw came just days after Google’s security team found Samsung Exynos modems included in Pixel 6, Pixel 7 and some Galaxy S22 and A53 models. Hackers can ‘remotely compromise’ devices Only use the victim’s phone number. Google patched the issue in his March update, which is not yet available for Pixel 6, 6 Pro, and 6A devices.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button