Markup was released as part of Android 9 Pie in 2018 and allows users to crop, draw, add text, and highlight screenshots. As an example, let’s say you took a screenshot of your credit card from your bank’s website. You crop out everything except for the card number that you cover up using the black marker tool available via Markup. If you share this image on certain platforms, the vulnerability can allow the attacker to see most of the original, unedited screenshot before it was cropped or edited.
Example of how the aCropalypse flaw can expose personal information from an edited screenshot
In other words, the edits can be reversed and the black lines covering the card’s account number will disappear revealing the information that was hidden. In fact, 80% of the screenshot can be recovered possibly allowing other personal information such as addresses, phone numbers, and other private data to be viewed.
This occurs because Markup saves the original pre-edited, pre-cropped screenshot in the same file location as the edited screenshot and never deletes the original image. Some platforms such as Twitter will reprocess the image which removes the flaw, Discord, didn’t patch its site until January which means images posted on the platform before January 17th could be vulnerable.
