:1984:
Google Pixel bug lets you “uncrop” the last four years of screenshots
New tool reveals cropped-out screenshot info isn't deleted, can be recovered.Back in 2018, Pixel phones gained a built-in screenshot editor called "Markup" with the release of Android 9.0 Pie. The tool pops up whenever you take a screenshot, and tapping the app's pen icon gives you access to tools like crop and a few colored drawing pens. That's very handy assuming Google's Markup tool actually does what it says, but a new vulnerability points out the edits made by this tool weren't actually destructive! It's possible to uncrop or unredact Pixel screenshots taken during the past four years.
[...]
the Android 9 release of the Markup tool worked correctly and truncated the overwritten file. Android 10 brought a lot of dramatic "Scoped Storage" changes to how file storage worked in Android, though. It's unclear how or why this happened, but perhaps as part of that huge wave of file-handling commits, one undocumented change made it into the Android Framework file parser: the Framework's "write" mode stopped truncating overwritten files, and the bug in Markup was created. The Markup tool relied on the OS's file handling, and the way it worked changed in a later release, which it looks like nobody noticed.
This happens in my iPhone. I always thought this was a feature lol. If you crop saved photos or new screenshots, you can revert it back to normal.
On iPhone you can choose to share the original file allowing the edits to be undone, or a “flattened” file without that capability.
The problem here is that Google changed an API default that influenced how the final file was written when preparing a “flattened” version of the file, the end result allowing people to restore some of the original data. A detailed writeup is here: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
Yeah, this is a feature and intentional, much like cropping via the "Photos" app on Android. But the cropped output file (what you send to others) does not contain the redacted information.
"Markup" was a component that shows the user a thumbnail of the screenshot after taking it, which can be tapped to bring up the editor, or it just brings up the editor after every screenshot and lets the user edit it (behavior might differ by version). Its output files which were shared with others did contain the redacted info.
On iOS it does that by keeping a copy of the original, and making a new file for the edited version