The acropalypse vulnerability can recover sensitive information previously removed from Pixel screenshots

A newly disclosed vulnerability could reveal previously redacted details from screenshots if edits were made using a Pixel device.

A new security vulnerability has been exposed by researchers Simon Aarons and David Buchanan that allows previously redacted details to be restored, if screenshots are taken and changes made, using the tag editing tool found on Google Pixel devices. While the issue has been addressed in the latest March security patch, the issue persists in all images and screenshots shared over the years prior to this patch.

In order to show how this vulnerability works, Aarons did this Building a website It includes a tool that allows you to test the problem. You can simply provide it with a PNG screenshot modified with the Pixel encoder, and it will attempt to recover the additional data contained in the image. As much as it can be restored varies, but this can range from removing fuzzy details or making more of an image by restoring cropped portions.

As far as this ever happened, there seems to be some changes made in Android 10 that caused the original data from the edited photos to remain in the file. That’s why this vulnerability can still scrape images to reveal things that were previously hidden or removed. Of course, this is a very basic explanation, but if you want to dive into the full details of how it all works, you can head over to Buchanan website.

Of course, there is still the theme of all the affected photos that have been submitted over the past few years. For most people, there will be no way to easily locate and remove these files when they are posted online. While Buchannon mentions a script he created for himself that would find these types of images on Discord, he hasn’t released the tool to the public. As a Pixel user, if you have updated to the latest security update, you have done almost everything you can do. But if you have ever sent photos to the world containing redacted sensitive information, unfortunately, there is still a high chance that these photos will reveal their data, so be vigilant.

source: Simon Aarons (Twitter), David Buchannon (Twitter)


Related posts