The vulnerability was discovered by security researchers Simon Aarons and David Buchanan, who reported on Twitter that it was possible to recover sensitive information from images modified within the last 5 years using an attack they named “Acropalypse”.
Highlighter is an inbuilt image editor that allows you to rearrange, crop, and edit images on your Google Pixel device.
Aarons shared an example of how they used the Acropalypse vulnerability to recover a photo uploaded to Discord of a credit card with a deleted number using the black markup feature of the marker. .
After running the image through the Acropalypse exploit, they restored the original image.
The researchers also posted online the Acropalypse screenshot recovery utility to allow Pixel owners to check their own reprocessed images and see if they’re recoverable. Researchers reported this vulnerability to Google in January 2023, and the company patched it through an update released on March 13, 2023, tracking it as CVE-2023-21036.
The problem is believed to stem from the way the image file is opened for editing, which has the effect of leaving truncated data in the saved image and allowing about 80% of the original version to be restored.
The vulnerability could expose sensitive information that the image creator had reprocessed with Pixel’s markup tool before sharing the media with others or posting it online.
This applies to posting to platforms that do not compress user-uploaded media, so sensitive data, if any, remains intact. An FAQ with more details on the matter will soon be posted on a dedicated website, but not available at the time of writing. Buchanan has revealed some additional technical details on this on his blog.
Although Google fixed the issue in a recent update to Pixel phones, all images shared within the last 5 years are vulnerable to Acropalypse and nothing can be done. As a result, the vulnerability could have serious privacy implications for users who uploaded screenshots with sensitive information reprocessed with the markup tool. It could also affect users who share self-revealing images, with parts of the image previously retouched but now recoverable.
This issue unfortunately affects all Pixel models running Android 9 Pie or later, when the marker was introduced and until the February 2023 security update. It should be noted that Google released the March 2023 security update for Pixel 4a, 5a, 7 and 7 Pro a week late due to coinciding with the quarterly “Pixel feature drop” and also discovered 18 holes. zero-day vulnerability in the Exynos modem used in the Pixel 6 and 7 series.