Pierre BourdonMar 18, 2023

CVE-2023-21036 / acropalypse is absolutely bonkers.

Apparently for 5+ years the cropping / editing tools for screenshots on Google Pixel phones was only overwriting the start of the screenshot PNG file, but not truncating.

All screenshots shared for the past 5+ years might have data recoverable from them. Demo available at https://acropalypse.app/

Google still hasn't communicated anything on this.

(h/t ItsSimonTime on Musk's site)

acropalypse screenshot recovery utility

Show threadNeko May
@delroth Is this specifically Pixel devices only? Or are other devices possibly affected?
Mar 18, 2023 at 11:32amWeb
Show threadPierre BourdonMar 18, 2023

@NekoEd no idea -- another reason why it would be great if Google actually released information...

I've only seen confirmation for Pixel screenshots. However the root cause of the vulnerability is a behavior change in AOSP which could potentially have similar effects for other apps (https://issuetracker.google.com/issues/180526528).

Google Issue Tracker

Show threadPatrickMar 19, 2023
@delroth @NekoEd OxygenOS 13's Photos app (OnePlus) does not seem to be vulnerable (even if it was, screenshots on Oxygen are jpg).