Researcher discovered a new lock screen bypass bug for Android 14 and 13

Pierluigi Paganini December 10, 2023

Researchers discovered a lock screen bypass bug in Android 14 and 13 that could expose sensitive data in users’ Google accounts.

The security researcher Jose Rodriguez (@VBarraquito) discovered a new lock screen bypass vulnerability for Android 14 and 13. A threat actor with physical access to a device can access photos, contacts, browsing history and more.

A couple of months ago, the researcher published multiple platforms, including Twitter, Reddit, and Telegram, asking if it was possible to open a Google Maps link from the lock screen because he couldn’t do it with his Pixel locked.

Rodriguez recently discovered that it is possible to bypass the lock screen and claimed that Google is also aware of the issue for at least six months and has yet to address it.

The expert reported the issue to Google in May and pointed out that at the end of November, there was still no scheduled date for a security update.

Rodriguez clarified that the impact of the exploits varies based on the user’s installation and configuration of Google Maps. The severity significantly escalates if the DRIVING MODE is activated.

Below are the two scenarios, and related levels of severity, described by the researcher:

  • If the user does NOT have DRIVING MODE activated: an attacker can access recent and favorite locations (home, work…), also contacts, and share location in real time with contacts or with an email that the attacker can enter manually.
  • If the user DOES have DRIVING MODE activated: by chaining another exploit, in addition to the accesses mentioned in the previous point, an attacker can access the photos of the device, to publish them or to add them as a profile image of the account. Google, and you also get access to extensive information and configuration of the Google account or accounts, with the possibility of gaining full access to the account from a second device and much more that is still to be investigated.

Rodriguez urges Android users to test the screen lock bypass on their phones and provide their comments, including the Android version and model of their devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)



you might also like

leave a comment