Google Pixel photo edit bug puts phones dangerously at risk — update yours now

News
By published

Google Pixel bug allows users to restore original images from edited ones

Google Pixel 7 review
(Image credit: Tom's Guide)

Google Pixel 7 and older Pixels have a potentially dangerous flaw hidden within their photo editing tools that, even now patched, could still allow others to reveal potentially compromising information.

The "aCropalypse" flaw, discovered by Simon Aarons and David Buchanan, allows edits made using Android's in-built Markup tool to be at least partially reversed, as the tool on the web page linked above demonstrates. 

This is possible because the original files are saved alongside the edited ones, rather than overwriting or saving the two images separately.

The pair reported the issue to Google privately back in January, but they believe the issue has been around for as long as five years, or in other words, as long as the Markup tool has been available since arriving in Android 9 (Pie).

This isn't by definition a vulnerability, but depending on what you make edits to. You could find personal information (or details you'd rather were left unseen) is surprisingly easy to get at. According to Aarons and Buchanan, uploading these shots to some social media services (like Twitter) would bake in the edits, but others would not, allowing other users to download the image and undo the edits.

However, the researchers mention that others, such as Discord, would until recently upload the file as-is, allowing users in the same channel to potentially undo edits.

We got it to work — it's kind of scary

In our own attempts using the reconstruction tool with screenshots from a Pixel 3a I had to hand, and with help from a colleague with a Pixel 6 Pro, we were able to restore cropped images to their original state, but none we had tried to draw over using the pen or highlighter tool. Here's our best example, where the tool was able to rebuild a full screenshot of a supermarket app from a cropped image of only the banner at the bottom.

Two screenshots illustrating the Pixel aCropalypse flaw. The first, taken from a Google Pixel 6, is a heavily cropped image of an app, showing only the bottom quarter of the image. On the right is the image restored using the aCropalypse.app tool, which has rebuilt almost the entire page save for a partly corrupted/blacked-out section at the top.

Two screenshots illustrating the Pixel aCropalypse flaw. The first, taken from a Google Pixel 6, is a heavily cropped image of an app, showing only the bottom quarter of the image. On the right is the image restored using the aCropalypse.app tool, which has rebuilt almost the entire page save for a partly corrupted/blacked-out section at the top, using the data that's saved within the original cropped version's file. (Image credit: Tom's Guide)

If this was the limit of the bug's abilities, I wouldn't be too worried, but Aarons was able to reveal a (sample) credit card number after it had been blocked out using this method.

The March update that closes this loophole is currently downloadable on the Pixel 4a, Pixel 5a, Pixel 6 and Pixel 6 Pro, plus the latest Pixel 7 and Pixel 7 Pro. However all Pixels since the original can in theory run Android 9, the version that introduced Markup, and therefore be at risk of this flaw. 

Make sure you download the update as soon as you can, and be careful about sharing images you've edited in Markup before now.

More from Tom's Guide

See more Phones News
TOPICS
Richard Priday
Richard Priday
Assistant Phones Editor

Richard is based in London, covering news, reviews and how-tos for phones, tablets, gaming, and whatever else people need advice on. Following on from his MA in Magazine Journalism at the University of Sheffield, he's also written for WIRED U.K., The Register and Creative Bloq. When not at work, he's likely thinking about how to brew the perfect cup of specialty coffee.

Read more
The camera assembly on the Google Pixel 9
The latest Google Pixel update is breaking fingerprint scanners — but there may be a fix
Google Pixel 4a vs. OnePlus Nord
Google’s battery update is reportedly tanking the Pixel 4a — here’s what we know
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Google Photos icon on phone
Google could finally fix an annoying limitation with Google Photos — here's what we know
Pixel Studio showing people illustration
Pixel Studio can finally generate people — and that's not the only change Google is bringing to Pixel phones
A man staring at a phone with the Google Photos logo on it
Google Photos will soon make clearing your pictures way easier — here’s how
Latest in Google Phones
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
Google Pixel 9a with thumbs up and thumbs down icons
Google Pixel 9a — 5 reasons to buy and 3 reasons to skip
Pixel 9 Pro XL held in the hand with price drop badge.
Not a typo! This epic deal makes the flagship Pixel 9 Pro XL the same price as the budget Pixel 9a
Google Pixel 9a hands-on.
Pixel 9a’s on-device AI isn’t as good as the Pixel 9 — here’s what’s different
Google Pixel 9 Pro deal
Forget Pixel 9a — get the Google Pixel 9 Pro for $250 off at Best Buy right now
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
Latest in News
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
More about google phones
back of Iris Pixel 9a

The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know

Google Pixel 9a hands-on.

The Pixel 9a just did something phone cameras haven't done in over a decade
The new Husqvarna iQ series robot lawn mower.

Husqvarna’s new robot mowers offer GPS for less
See more latest