Google’s photo editing app bug exposed cropped images

A vulnerability dubbed “aCropalypse” allows attackers to access parts of screenshots users cropped or edited before sending them out.

The aCropalypse bug, tracked as CVE-2023-21036, allows attackers to recover cropped images. A malicious actor could download an image from Discord and use the vulnerability’s exploit to recover parts of the file users didn’t want to make public.

“I wrote a script to scrape my own message history to look for vulnerable images. There were lots of them, although most didn’t leak any particularly private information,” security researcher David Buchanan said in a blog post.

According to Buchanan, he recovered parts of the image that showed an eBay order confirmation email, with the product he bought visible. Using the exploit, he managed to recreate a full postal address that was cropped out of the picture.

The bug supposedly affected the markup editing tool found on Google Pixel devices. Security researcher Simon Aarons is credited with identifying and reporting the vulnerability to Google. The company fixed the issue in March 2023.