> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
The embargo refers to Google's update policy since a couple months ago, which means that for three months, updates are on-hold and only shared with "selected vendors" and not the public.
Essentially the dumping strategy of open source that Apple has been doing for years.
Read the LineageOS blog article for more details on why stripping history and publishing only a tarball might be seen as the most stupid development practice ever.
This really needs to be the link. The article is phrased as if this was a zero day exploiting some kind of 2FA bug, but the actual meat is that it's a novel and really interesting new kind of attack vector (albeit not a particularly practical one) that no one had thought about before.
Yes, but "side channel attack" isn't much of a description, is it? You can't just declare "I make a side channel attack!"[1], you need to invent one.
In this case it turns out that the hardware rendering of the zoom animation in the blur effect of stacked activities on the screen left crumbs that can be detected in the alien context. I certainly didn't know that. Did you know that? I don't think anyone knew that! It's "novel".
Quote:
> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.
Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.
Also, this is the direct paper link: https://www.pixnapping.com/pixnapping.pdf
I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).
What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!
The embargo refers to Google's update policy since a couple months ago, which means that for three months, updates are on-hold and only shared with "selected vendors" and not the public.
Essentially the dumping strategy of open source that Apple has been doing for years.
Read the LineageOS blog article for more details on why stripping history and publishing only a tarball might be seen as the most stupid development practice ever.
[1] https://news.ycombinator.com/item?id=45158523
2 replies →
This really needs to be the link. The article is phrased as if this was a zero day exploiting some kind of 2FA bug, but the actual meat is that it's a novel and really interesting new kind of attack vector (albeit not a particularly practical one) that no one had thought about before.
I would not say "no one had thought about before".
Side channel attack is not a novel idea, just not used to find Android bugs like this.
> Side channel attack is not a novel idea
Yes, but "side channel attack" isn't much of a description, is it? You can't just declare "I make a side channel attack!"[1], you need to invent one.
In this case it turns out that the hardware rendering of the zoom animation in the blur effect of stacked activities on the screen left crumbs that can be detected in the alien context. I certainly didn't know that. Did you know that? I don't think anyone knew that! It's "novel".
[1] Shades of Michael Scott declaring bankruptcy.