Screenshots edited in Pixels’ markup tool could be un-edited with aCropalypse exploit

Pixel owners have suffered editing their screenshots using the default markup tool. The paint inputs aren’t great at redacting anything, even if you scrub a spot real hard, and the crop tool is hilariously lacking any preset aspect ratios. But there’s another reason why you shouldn’t use markup and it’s the reason why you might want to take a look at where or who you’ve sent your images to.

Researchers Simon Aarons and David Buchanan have gone public with an exploit they are dubbing “aCropalypse” which, in essence, allows anyone to take a PNG screenshot cropped in Android’s default markup tool and undo at least some of the edits to produce portions of the image that were not intended for viewing. While the exploit was reported to Google and is patched in the March security update for Pixels (see CVE-2023-21036), redacted images sent on certain platforms — including, but not limited to Discord prior to mid-January — through the last several years could be at risk of being exposed.