Comment by cookiengineer

7 months ago

Quote:

> Google has attempted to patch Pixnapping by limiting the number of activities an app can invoke blur on. However, we discovered a workaround to make Pixnapping work despite this patch. The workaround is still under embargo.

Great, google's security policy ending up being a zeroday. Exactly as denied and exactly as predicted by the community.

Also, this is the direct paper link: https://www.pixnapping.com/pixnapping.pdf

4 comments

cookiengineer

Reply
ajross  7 months ago

I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).

What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!

  • cookiengineer  6 months ago

    The embargo refers to Google's update policy since a couple months ago, which means that for three months, updates are on-hold and only shared with "selected vendors" and not the public.

    Essentially the dumping strategy of open source that Apple has been doing for years.

    Read the LineageOS blog article for more details on why stripping history and publishing only a tarball might be seen as the most stupid development practice ever.

    [1] https://news.ycombinator.com/item?id=45158523

    • ajross  6 months ago

      Yeah, that's not the sense of "embargo" used in the text you quoted. I think you're arguing about something else. AOSP not getting prompt security patches is indeed a problem, but it's not relevant here. Per the article there is no fix for the updated attack.

      1 reply →