CVE-2023-21036

Name of the Vulnerable Software and Affected Versions Android versions prior to the fixed version

Description The issue is related to a logic error in the code of BitmapExport.java, which may cause a failure to truncate images. This can potentially allow an attacker to recover cropped or edited images and disclose confidential information. The vulnerability was discovered by reverse engineers and was fixed in an update in March 2023. However, old photos may still be at risk. In one example, researchers were able to recover 80% of the original image, including credentials, with only the top 20% of the image being damaged. Most social media sites, such as Twitter, reprocess images when they are uploaded, removing any remaining original data. However, images posted on Discord before January 17 may still have this flaw.

Recommendations For Android versions prior to the fixed version, consider disabling the Markup editor for screenshot editing until a patch is available. Restrict access to edited images to minimize the risk of exploitation. Avoid using the Markup editor for sensitive information until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.