It specifically concerns the markup feature, which allows users to edit photos in a way that removes sensitive information from images, such as credit cards, by cropping certain aspects or applying image layers. images for elements.
Although Google released a patch for CVE-2023-21036 in its March update, the high-risk vulnerability allowed hackers to roll back many of the changes made to images on Pixel devices.
According to reverse engineers Simon Aarons and David Buchanan, who discovered the problem, with a modified – and seemingly safe – image, the bad guys can in some cases undo the mistakes. This modification exposes sensitive information in a vulnerability called “acropalypse”.
While many of us prefer to share images over channels that prefer some or all of their metadata, such as Discord, this has proven to be less secure, exposing vulnerabilities. It’s worth mentioning that Discord fixed the issue mid-January 2023. In contrast, platforms like Twitter handle images in a different way, making edits irreversible.
The vulnerability stems from Android 9 Pie that coincides with the Pixel 3 series, meaning that the 4, 5, 6, and 7 series will eventually be affected as well.
Given the age of some devices, only Pixel 4a and later are currently receiving security updates, leaving some previous models, including the 4 and any before that, without official support. still vulnerable to attack.
Additionally, edited screenshots sent before the updates were rolled out are still vulnerable and will therefore be removed where possible.