Google Pixel owners who have used the built-in screenshot functionality and uploaded some of the screenshots to the Internet face a potential privacy disaster. Due to the way redacted or cropped screenshots are saved on Pixel devices, it is possible to recover the original unredacted image.
Named Aprocalypse by security researcher Simon Aarons, it is a serious issue that could lead to personal information being exposed on the Internet. To name a few examples: a screenshot of a credit card with a redacted number could reveal the number, a user who cropped an image to hide parts of it, could find that image being restored to full, and a user who published a screenshot with redacted address information could discover that the address may be revealed after all.
A demo site is available already that demonstrates the image recovery functionality. It seems to work with all recent Pixel devices, from the latest Pixel 7 Pro to Pixel 3. There is also an option to set a custom resolution for the image, which may then work with other Pixel devices as well.
Anyone with access to a Pixel screenshot that has been cropped or redacted may use the demo site to try and recover it. All image processing is done client side, according to the developers of the demo site.
Pixel device owners may use it to find out if their screenshots are affected by the issue.
A blog post on David Buchanan’s blog provides details on the vulnerability, which is tracked as CVE-2023-21036. Aarons and Buchanan discovered that Google Pixel devices were overwriting cropped or redacted screenshots on the mobile devices with the new version, but not touching the “rest of the original file”. This means, that the data is still on the device, and that it could potentially be restored.
The blog post is technical in nature, but the author mentions that he wrote a simple script to parse all of his messages with screenshots on Discord to find out if any of them were vulnerable. Turns out, many were vulnerable, but most did not reveal private information. Still, one image, which showed the confirmation of an eBay order, could be restored to show the author’s full postal address.
Google seems to be aware of the issue, but it is too early to tell how the company will react to it. Besides plugging the vulnerability, the company somehow has to address the elephant in the room: that fixing the vulnerability does not protect already uploaded or created images from being analyzed and recovered.
Affected Pixel owners may want to pull screenshots, which they edited on the device to redact or crop private information or sensitive parts and uploaded to a public place, from that place, if possible.
The post Google Pixel Privacy nightmare: redacted or cropped screenshots may be recovered (partially) appeared first on gHacks Technology News.