"Google Pixel Vulnerability Allows Recovery of Cropped Screenshots"

Reverse engineers Simon Aarons and David Buchanan have discovered a vulnerability lurking in Google's Pixel phones for five years that allows for the recovery of an original, unedited screenshot from the cropped version of the image. Referred to as aCropalypse and tracked as CVE-2023-21036, the issue resides in Markup, the image-editing application on Pixel devices. Markup fails to properly truncate edited images, making the cropped data recoverable. The reverse engineers stated that the bug has existed since 2018 and that it was the result of a code change that Markup did not adhere to. Specifically, when switching from Android 9 to Android 10, the parseMode() function was modified to overwrite a file with a truncated one if the argument "wt" was passed to it. Previously, the argument "w" was needed for the same operation. The engineers noted that because Markup's behavior was not changed and it continued to use the argument "w," while it did crop the image, it did not tell the OS to overwrite the original with the smaller version, resulting in the truncated data being left at the end of the file instead. The engineers explained that the end result is that the image file is opened without the O_TRUNC flag so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind. The researchers also point out that the change from "w" to "wt" was only documented in 2021, when a bug report was submitted. Google addressed the vulnerability with the March 2023 security update for Pixel devices, which patches more than 120 bugs, aside from the issues resolved with the March 2023 Android update.

SecurityWeek reports: "Google Pixel Vulnerability Allows Recovery of Cropped Screenshots"