Submitted 14 hours ago by BrikoX@lemmy.zip to technology@lemmy.zip
Malicious app required to make “Pixnapping” attack work requires no permissions.
The attack seems similar to sidechannel attacks for CPUs, where you’d essentially read protected memory by observing side effects. Same idea but with pixels sent to the display.
Interesting. I wonder what it is that causes the render times to be different and how much noise there is. Maybe the solution will be to worsen timer accuracy!
they did something similar with JS timers in browsers iirc
Not ones that use keys. Just shut off your data and wifi then plug in the key and get the code and then remove the key and you’re good to go.
Not all banks and website support physical key authentication. Besides, those keys can also be vulnerable. Yubikeys and others were vulnerable to a side channel attack and you had to buy new keys since you cannot patch hardware.
The only saving grace was an Attacker needed physical access to attempt that. But, yes in general can be more secure.
Keys can generate TOTP codes that most if not all services that support 2FA/MFA use.
You just scan the QR or enter the code with the key plugged in and it adds it.
justOnePersistentKbinPlease@fedia.io 13 hours ago
Yeah, so if you install an app that gives them full permissions, they can see what you're doing on your phone.
shocking
BrikoX@lemmy.zip 13 hours ago
Expect attack “requires no permissions” for the app to work.
XLE@piefed.social 13 hours ago
The article is pretty clear that the issue is with the Android devices themselves, not with lazy users. There is no indication that a malicious app has these permissions.