Google Pixel photo edit bug puts phones dangerously at risk — update yours now

(Image credit: Tom's Guide)

Google Pixel 7 and older Pixels have a potentially dangerous flaw hidden within their photo editing tools that, even now patched, could still allow others to reveal potentially compromising information.

The "aCropalypse" flaw, discovered by Simon Aarons and David Buchanan, allows edits made using Android's in-built Markup tool to be at least partially reversed, as the tool on the web page linked above demonstrates.

This isn't by definition a vulnerability, but depending on what you make edits to. You could find personal information (or details you'd rather were left unseen) is surprisingly easy to get at. According to Aarons and Buchanan, uploading these shots to some social media services (like Twitter) would bake in the edits, but others would not, allowing other users to download the image and undo the edits.

We got it to work — it's kind of scary

In our own attempts using the reconstruction tool with screenshots from a Pixel 3a I had to hand, and with help from a colleague with a Pixel 6 Pro, we were able to restore cropped images to their original state, but none we had tried to draw over using the pen or highlighter tool. Here's our best example, where the tool was able to rebuild a full screenshot of a supermarket app from a cropped image of only the banner at the bottom.

Two screenshots illustrating the Pixel aCropalypse flaw. The first, taken from a Google Pixel 6, is a heavily cropped image of an app, showing only the bottom quarter of the image. On the right is the image restored using the aCropalypse.app tool, which has rebuilt almost the entire page save for a partly corrupted/blacked-out section at the top. — Two screenshots illustrating the Pixel aCropalypse flaw. The first, taken from a Google Pixel 6, is a heavily cropped image of an app, showing only the bottom quarter of the image. On the right is the image restored using the aCropalypse.app tool, which has rebuilt almost the entire page save for a partly corrupted/blacked-out section at the top, using the data that's saved within the original cropped version's file. (Image credit: Tom's Guide)

If this was the limit of the bug's abilities, I wouldn't be too worried, but Aarons was able to reveal a (sample) credit card number after it had been blocked out using this method.

The March update that closes this loophole is currently downloadable on the Pixel 4a, Pixel 5a, Pixel 6 and Pixel 6 Pro, plus the latest Pixel 7 and Pixel 7 Pro. However all Pixels since the original can in theory run Android 9, the version that introduced Markup, and therefore be at risk of this flaw.

Make sure you download the update as soon as you can, and be careful about sharing images you've edited in Markup before now.

More from Tom's Guide

See more Phones News

TOPICS

Richard is based in London, covering news, reviews and how-tos for phones, tablets, gaming, and whatever else people need advice on. Following on from his MA in Magazine Journalism at the University of Sheffield, he's also written for WIRED U.K., The Register and Creative Bloq. When not at work, he's likely thinking about how to brew the perfect cup of specialty coffee.