A new vulnerability was revealed by researchers Simon Aarons and David Buchanan that allows previously redacted details to be reclaimed, if the screenshots were taken and changes were made, using the markup editing tool found on Google Pixel devices. While the issue has been addressed in the latest March security patch, the problem still remains in all the images and screenshots that were shared over the years prior to this patch.

In order to show how this vulnerability works, Aarons has built a website featuring a tool that will allow you to test out the issue. You simply feed it an edited PNG screenshot that has been altered using the Pixel’s markup tool, and it will attempt to recover additional data found in the image. As far as what can be reclaimed with vary, but this can range from removing obfuscated details or delivering more of the image by restoring portions that were cropped.

As far as why this ever occurred, apparently there were some changes made in Android 10 that caused the original data from edited images to still remain in the file. That’s why this vulnerability can still scrape images to reveal things that were previously hidden or removed. Of course, this is a very basic explanation, but if you want to deep dive into the full details of how it all works, you can head to Buchanon's website.

Of course, there’s still the matter of all the affected images sent over the past few years. For most, there really won't be a way to easily locate and remove these files when they've been posted around the internet. While Buchanon does mention a script he created for himself that would find these types of images on Discord, he has not released the tool to the public. As a Pixel user, if you’ve updated to the latest security update, you’ve done pretty much all that you can do. But if you’ve ever sent out images into the world with redacted sensitive information, sadly, there’s still a high chance that these images can have their data revealed, so be vigilant.


Source: Simon Aarons (Twitter), David Buchanon (Twitter)