Google Pixel bug lets you “uncrop” the last four years of screenshots

At least the acropalypse.app tool has a pretty sweet logo.

Enlarge / At least the acropalypse.app tool has a pretty sweet logo. (credit: acropalypse.app)

Back in 2018, Pixel phones gained a built-in screenshot editor called "Markup" with the release of Android 9.0 Pie. The tool pops up whenever you take a screenshot, and tapping the app's pen icon gives you access to tools like crop and a few colored drawing pens. That's very handy assuming Google's Markup tool actually does what it says, but a new vulnerability points out the edits made by this tool weren't actually destructive! It's possible to uncrop or unredact Pixel screenshots taken during the past four years.

The bug was discovered by Simon Aarons and is dubbed "Acropalypse," or more formally CVE-2023-21036. There's a proof-of-concept app that can unredact Pixel screenshots at acropalypse.app, and it works! There's also a good technical write-up here by Aarons' collaborator, David Buchanan. The basic gist of the problem is that Google's screenshot editor overwrites the original screenshot file with your new edited screenshot, but it does not truncate or recompress that file in any way. If your edited screenshot has a smaller file size than the original—that's very easy to do with the crop tool—you end up with a PNG with a bunch of hidden junk data at the end of it. That junk data is made up of the end bits of your original screenshot, and it's actually possible to recover that data.

That sounds like a bad way to write a screenshot cropping tool, but in Google's defense, the Android 9 release of the Markup tool worked correctly and truncated the overwritten file. Android 10 brought a lot of dramatic "Scoped Storage" changes to how file storage worked in Android, though. It's unclear how or why this happened, but perhaps as part of that huge wave of file-handling commits, one undocumented change made it into the Android Framework file parser: the Framework's "write" mode stopped truncating overwritten files, and the bug in Markup was created. The Markup tool relied on the OS's file handling, and the way it worked changed in a later release, which it looks like nobody noticed.

Read 2 remaining paragraphs | Comments



At least the acropalypse.app tool has a pretty sweet logo.

Enlarge / At least the acropalypse.app tool has a pretty sweet logo. (credit: acropalypse.app)

Back in 2018, Pixel phones gained a built-in screenshot editor called "Markup" with the release of Android 9.0 Pie. The tool pops up whenever you take a screenshot, and tapping the app's pen icon gives you access to tools like crop and a few colored drawing pens. That's very handy assuming Google's Markup tool actually does what it says, but a new vulnerability points out the edits made by this tool weren't actually destructive! It's possible to uncrop or unredact Pixel screenshots taken during the past four years.

The bug was discovered by Simon Aarons and is dubbed "Acropalypse," or more formally CVE-2023-21036. There's a proof-of-concept app that can unredact Pixel screenshots at acropalypse.app, and it works! There's also a good technical write-up here by Aarons' collaborator, David Buchanan. The basic gist of the problem is that Google's screenshot editor overwrites the original screenshot file with your new edited screenshot, but it does not truncate or recompress that file in any way. If your edited screenshot has a smaller file size than the original—that's very easy to do with the crop tool—you end up with a PNG with a bunch of hidden junk data at the end of it. That junk data is made up of the end bits of your original screenshot, and it's actually possible to recover that data.

That sounds like a bad way to write a screenshot cropping tool, but in Google's defense, the Android 9 release of the Markup tool worked correctly and truncated the overwritten file. Android 10 brought a lot of dramatic "Scoped Storage" changes to how file storage worked in Android, though. It's unclear how or why this happened, but perhaps as part of that huge wave of file-handling commits, one undocumented change made it into the Android Framework file parser: the Framework's "write" mode stopped truncating overwritten files, and the bug in Markup was created. The Markup tool relied on the OS's file handling, and the way it worked changed in a later release, which it looks like nobody noticed.

Read 2 remaining paragraphs | Comments


March 20, 2023 at 11:04PM

Post a Comment

Previous Post Next Post