Google Pixel Privacy Nightmare: redacted or cropped screenshots may be recovered (partially)

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Google Pixel owners who have used the built-in screenshot functionality and uploaded some of the screenshots to the Internet face a potential privacy disaster. Due to the way redacted or cropped screenshots are saved on Pixel devices, it is possible to recover the original unredacted image.

Named Aprocalypse by security researcher Simon Aarons, it is a serious issue that could lead to personal information being exposed on the Internet. To name a few examples: a screenshot of a credit card with a redacted number could reveal the number, a user who cropped an image to hide parts of it, could find that image being restored to full, and a user who published a screenshot with redacted address information could discover that the address may be revealed after all.

A demo site is available already that demonstrates the image recovery functionality. It seems to work with all recent Pixel devices, from the latest Pixel 7 Pro to Pixel 3. There is also an option to set a custom resolution for the image, which may then work with other Pixel devices as well.

Anyone with access to a Pixel screenshot that has been cropped or redacted may use the demo site to try and recover it. All image processing is done client side, according to the developers of the demo site.

Pixel device owners may use it to find out if their screenshots are affected by the issue.

A blog post on David Buchanan's blog provides details on the vulnerability, which is tracked as CVE-2023-21036. Aarons and Buchanan discovered that Google Pixel devices were overwriting cropped or redacted screenshots on the mobile devices with the new version, but not touching the "rest of the original file". This means, that the data is still on the device, and that it could potentially be restored.

The blog post is technical in nature, but the author mentions that he wrote a simple script to parse all of his messages with screenshots on Discord to find out if any of them were vulnerable. Turns out, many were vulnerable, but most did not reveal private information. Still, one image, which showed the confirmation of an eBay order, could be restored to show the author's full postal address.

Google seems to be aware of the issue, but it is too early to tell how the company will react to it. Besides plugging the vulnerability, the company somehow has to address the elephant in the room: that fixing the vulnerability does not protect already uploaded or created images from being analyzed and recovered.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Just another reason to NOT buy a Pixel phone. If Google cannot perfect an Android phone, no one can. Samsung and other manufacturers come with unremovable pre-installed bloatware. The iPhone isn't an option for Android users who rely on apps outside of the Play Store.
 

Malleable

Level 1
Mar 2, 2021
45
Doesn't surprise me. In a similar vein about 10 - 15 years ago they caught a pedophile that used the Adobe Photoshop (s/t)wirl graphic treatment to obscure his face in photographs. Authorities were able to reverse the algorithm and restore his face. Then there was a technique, also a while back, that can examine the pixels surrounding deleted data and infer the deleted pixels. Sounds to me like that one would mostly likely work best with deleted or cleanly redacted text.
 
  • Like
Reactions: oldschool

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
Samsung and other manufacturers come with unremovable pre-installed bloatware.
This is the best that can be obtained in the Android world imo. If a user is all about freedom and customisation, they will have to deal with the bloatware (most likely by disabling these apps) and use a Samsung device. They seem to be the closest Apple rival. Pixel is undeniably rubbish and I don’t trust vendors like Xiaomi to deliver a secure environment and experience.
 
Last edited:
  • Applause
Reactions: oldschool

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
This is the best that can be obtained in the Android world imo. If a user is all about freedom and customisation, they will have to deal with the bloatware (most likely by disabling these apps) and use a Samsung device. They seem to be the closest Apple rival. Pixel is undeniably rubbish and I don’t trust vendors like Xiaomi to deliver a secure environment and experience.
Samsung is one of the worst Android manufacturers when it comes to bloatware, preinstalled junk or non-removable. And you don't have to look far, to know that you get 2 versions of the same apps with slight variations.

From the updated article:
Samsung's 25GB Android package is still bigger than ever and four times the size of Google's 6GB Android install.
Source: Hot Take - Bloatware pushes the Galaxy S23 Android OS to an incredible 60GB

Samsung Galaxy =/= iPhones
 

n8chavez

Level 16
Well-known
Feb 26, 2021
785
Just another reason to NOT buy a Pixel phone. If Google cannot perfect an Android phone, no one can. Samsung and other manufacturers come with unremovable pre-installed bloatware. The iPhone isn't an option for Android users who rely on apps outside of the Play Store.

Yeah, no. We'll have to agree to disagree on that one. I love my Pixel 6 Pro. Everything about it is awesome, and it proves that software is more important than hardware. Every device has bugs, and I'm not about to throw the baby out with the bathwater.
 
  • Like
  • Applause
Reactions: oldschool and Sammo

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Yeah, no. We'll have to agree to disagree on that one. I love my Pixel 6 Pro. Everything about it is awesome, and it proves that software is more important than hardware. Every device has bugs, and I'm not about to throw the baby out with the bathwater.
Windows has the same bug. Everyone must delete the OS to preserve their privacy. /s


Edit added: I didn't mean to imply all Pixel users should dump their Pixel phone. As a non-Pixel owner, looking to buy the next Pixel 8, seeing reports of privacy-issues and breaking hardware doesn't shine a good light. @n8chavez
 
Last edited:
F

ForgottenSeer 98186

This is the best that can be obtained in the Android world imo. If a user is all about freedom and customisation, they will have to deal with the bloatware (most likely by disabling these apps) and use a Samsung device. They seem to be the closest Apple rival. Pixel is undeniably rubbish and I don’t trust vendors like Xiaomi to deliver a secure environment and experience.
Android is for "users that want to use stuff."

I think the Pixel is svelte hardware.

Android just too many problems and shortcomings. Apple iPhone is much better. But Android users say the same thing about iPhone because they cannot do everything that they want on an iPhone (but that will change with the latest legal case against Apple's iPhone apps ecosystem).
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
This observer probably has it about right:
I think problems like this can be harder to find then they seem. Especially in this case, the same type of thing was found in Google's software for the Pixel and in the snipping tool. I think lots of people might be shocked at the number of simple things that have problems, or would have problems in the event that anybody actually went looking for an issue. Most issues are probably just sitting there left undiscovered.
My "Keep it simple" advice still stands.
 
Last edited:

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,236
This is the best that can be obtained in the Android world imo. If a user is all about freedom and customisation, they will have to deal with the bloatware (most likely by disabling these apps) and use a Samsung device. They seem to be the closest Apple rival. Pixel is undeniably rubbish and I don’t trust vendors like Xiaomi to deliver a secure environment and experience.
My Pixel isn't rubbish, way cheaper than a Apple and less bloat then a Samsung and pretty much does everything they do.
 

n8chavez

Level 16
Well-known
Feb 26, 2021
785
My Pixel isn't rubbish, way cheaper than a Apple and less bloat then a Samsung and pretty much does everything they do.

Pixels offer things I've never seen any other phone have, like AI-assisted call screening. The moment other devices can effectively do things like that I might re-think.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top