> If you use an Android phone and haven’t disabled system animations, then yes, you’re likely affected. iPhone users are not affected.
Okay... that was much worse than I expected. Looks like you can get the victim to click anywhere, which looks bad. I thought Android had protections against this?
> It is based on transition animations instead of overlays, so it doesn’t need special permissions and isn’t blocked by Android’s overlay protections.
Oh well. Not sure how that slipped past.
qbane · 14h ago
This has a long history dating back to the Flash era.
> One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera.
svpk · 7h ago
GrapheneOS resolved this a while ago. Which shows google and other android vendors could have resolved this quickly if they were motivated too.
> independently and confidentially reported by @MG193_7 (ByteDance IES RedTeam) to the Android Security Team in early 2023
I wonder if this is in the wild anywhere, it has to be after 2.5 years right?
_vere · 11h ago
Actually insane that this isn't patched in AOSP yet, literally the only android devices that aren't vulnerable are those running graphene. For companies as big as google, there really ought to be just disgusting financial penalties if they leave something like this unfixed for this amount of time.
altfredd · 13h ago
This might be somewhat less threatening then it sounds, because it requires caller to fully control animations used for entering the targeted Activity.
In particular, this vulnerability might not overcome root permission prompts on rooted devices, because their windows are launched and controlled by the installed su app, not by attacker.
chasing0entropy · 6h ago
C'mon guys, Google hasn't neglected patching this for years because it would conflict with their own software's behavior, right?
Right?
SoftTalker · 14h ago
Another reason not to install random apps.
subscribed · 11h ago
You probably forgot about multiple instances of malware found in the official Google Play store.
SoftTalker · 3h ago
I include most of Play Store apps in my definition of "random apps." If it's not from a very mainstream publisher I won't install it.
master-lincoln · 8h ago
What makes you think so? Apps in the Google Play store could be called random apps too.
I guess the poster was more leaning towards trusting the developer of an app.
Okay... that was much worse than I expected. Looks like you can get the victim to click anywhere, which looks bad. I thought Android had protections against this?
> It is based on transition animations instead of overlays, so it doesn’t need special permissions and isn’t blocked by Android’s overlay protections.
Oh well. Not sure how that slipped past.
https://owasp.org/www-community/attacks/Clickjacking
> One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera.
https://bsky.app/profile/minimalblue.bsky.social/post/3lul6i...
I wonder if this is in the wild anywhere, it has to be after 2.5 years right?
In particular, this vulnerability might not overcome root permission prompts on rooted devices, because their windows are launched and controlled by the installed su app, not by attacker.
Right?