Google Pixel 7 and older Pixels have a potentially dangerous flaw hidden within their photo editing tools that, even now patched, could still allow others to reveal potentially compromising information.
The "aCropalypse" flaw, discovered by Simon Aarons and David Buchanan, allows edits made using Android's in-built Markup tool to be at least partially reversed, as the tool on the web page linked above demonstrates.
This is possible because the original files are saved alongside the edited ones, rather than overwriting or saving the two images separately.
The pair reported the issue to Google privately back in January, but they believe the issue has been around for as long as five years, or in other words, as long as the Markup tool has been available since arriving in Android 9 (Pie).
This isn't by definition a vulnerability, but depending on what you make edits to. You could find personal information (or details you'd rather were left unseen) is surprisingly easy to get at. According to Aarons and Buchanan, uploading these shots to some social media services (like Twitter) would bake in the edits, but others would not, allowing other users to download the image and undo the edits.
However, the researchers mention that others, such as Discord, would until recently upload the file as-is, allowing users in the same channel to potentially undo edits.
We got it to work — it's kind of scary
In our own attempts using the reconstruction tool with screenshots from a Pixel 3a I had to hand, and with help from a colleague with a Pixel 6 Pro, we were able to restore cropped images to their original state, but none we had tried to draw over using the pen or highlighter tool. Here's our best example, where the tool was able to rebuild a full screenshot of a supermarket app from a cropped image of only the banner at the bottom.
If this was the limit of the bug's abilities, I wouldn't be too worried, but Aarons was able to reveal a (sample) credit card number after it had been blocked out using this method.
The March update that closes this loophole is currently downloadable on the Pixel 4a, Pixel 5a, Pixel 6 and Pixel 6 Pro, plus the latest Pixel 7 and Pixel 7 Pro. However all Pixels since the original can in theory run Android 9, the version that introduced Markup, and therefore be at risk of this flaw.
Make sure you download the update as soon as you can, and be careful about sharing images you've edited in Markup before now.
