Apart from the Samsung Exynos modem problem, the March 2023 security update for Android 13 QPR2 patches the Pixel Markup screenshot vulnerability as well. Simon Aarons discovered and submitted this vulnerability (CVE-2023-21036) to Google in early January, with David Buchanan developing the initial proof-of-concept exploit:
“Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively un-cropped and un-redacted under any circumstances.” For reference, the built-in Markup feature on Pixel phones, which debuted with Android 9 Pie in 2018, allows you to modify screenshots (crop, add text, draw, and highlight).
The Pixel Markup screenshot vulnerability
Let’s imagine you submit a screenshot from a hypothetical bank app/website that contains a photo of your credit/debit card. Everything but the card is cropped out, and the 16-digit number is blacked out with Markup’s Pen tool. You then distribute the message using a service such as Discord.
Because of a flaw in the way Markup works, anybody who downloads the picture can do a “partial recovery of the original, unaltered image data of [the] cropped and/or censored screenshot.” A malevolent party may erase the black lines and view the credit card number, as well as 80% of the whole screenshot, which may contain additional sensitive information, in the example above.
“The top 20% of the image is corrupted, but the remainder of the image- including a photo of the credit card with its number visible – is fully recovered.” The Pixel Markup screenshot vulnerability may be an issue for you if you shared screenshots with addresses, phone numbers, or other sensitive information.
“The privacy impact of this bug stems from people sharing cropped images [that] unknowingly included extra data. Fortunately, most social media services re-process uploaded images, which strips the trailing data and mitigates the vulnerability. For example, Twitter is safe from acropalypse. The following is an incomplete list of known vulnerable services and apps commonly used to share images: (i.e. services that do not strip trailing image data)”
Well, it’s nice the Pixel Markup screenshot vulnerability was fixed with the March 2023 security patch, with CVE-2023-21036 listed as having a “High” severity. That Pixel update is currently available for the Pixel 4a-5a, 7, and 7 Pro.
