The Pixel Markup screenshot vulnerability addressed with Android QPR2 update

March 20, 2023 Onyebuchi Uche

Apart from the Samsung Exynos modem problem, the March 2023 security update for Android 13 QPR2 patches the Pixel Markup screenshot vulnerability as well. Simon Aarons discovered and submitted this vulnerability (CVE-2023-21036) to Google in early January, with David Buchanan developing the initial proof-of-concept exploit:

“Screenshots cropped using the built-in “Markup” app on Google Pixel devices may be retroactively un-cropped and un-redacted under any circumstances.” For reference, the built-in Markup feature on Pixel phones, which debuted with Android 9 Pie in 2018, allows you to modify screenshots (crop, add text, draw, and highlight).

The Pixel Markup screenshot vulnerability

Let’s imagine you submit a screenshot from a hypothetical bank app/website that contains a photo of your credit/debit card. Everything but the card is cropped out, and the 16-digit number is blacked out with Markup’s Pen tool. You then distribute the message using a service such as Discord.

Because of a flaw in the way Markup works, anybody who downloads the picture can do a “partial recovery of the original, unaltered image data of [the] cropped and/or censored screenshot.” A malevolent party may erase the black lines and view the credit card number, as well as 80% of the whole screenshot, which may contain additional sensitive information, in the example above.

“The top 20% of the image is corrupted, but the remainder of the image- including a photo of the credit card with its number visible – is fully recovered.” The Pixel Markup screenshot vulnerability may be an issue for you if you shared screenshots with addresses, phone numbers, or other sensitive information.

“The privacy impact of this bug stems from people sharing cropped images [that] unknowingly included extra data. Fortunately, most social media services re-process uploaded images, which strips the trailing data and mitigates the vulnerability. For example, Twitter is safe from acropalypse. The following is an incomplete list of known vulnerable services and apps commonly used to share images: (i.e. services that do not strip trailing image data)”

Well, it’s nice the Pixel Markup screenshot vulnerability was fixed with the March 2023 security patch, with CVE-2023-21036 listed as having a “High” severity. That Pixel update is currently available for the Pixel 4a-5a, 7, and 7 Pro.

Source.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The Pixel Markup screenshot vulnerability

You May Also Like

Android 13 DP1: Features of the Newly Released Android 13 Developer Preview 1

How to Install Android 13 on Google Pixel and other Android Devices

Pixel Widevine bug: latest Android 12L update restores Widevine security to L1

Leave a Reply Cancel reply

OUR WEBSITE MAKE USE OF COOKIES

Discover more from AdimorahBlog