this post was submitted on 13 Oct 2025
97 points (98.0% liked)

Technology

6637 readers
42 users here now

Which posts fit here?

Any news that are at least tangentially connected to the technology, social media platforms, informational technologies or tech policy.

Post guidelines

[Opinion] prefixOpinion (op-ed) articles must use [Opinion] prefix before the title.

Rules

1. English onlyTitle and associated content has to be in English.
2. Use original linkPost URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communicationAll communication has to be respectful of differing opinions, viewpoints, and experiences.
4. InclusivityEveryone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacksAny kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangentsStay on topic. Keep it relevant.
7. Instance rules may applyIf something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.

Companion communities

!globalnews@lemmy.zip
!interestingshare@lemmy.zip

Icon attribution | Banner attribution

If someone is interested in moderating this community, message @brikox@lemmy.zip.

founded 2 years ago
MODERATORS
BrikoX@lemmy.zip
97
Hackers can steal 2FA codes and private messages from Android phones (arstechnica.com)
submitted 6 months ago by BrikoX@lemmy.zip to c/technology@lemmy.zip
10 comments fedilink hide all child comments
 

Malicious app required to make “Pixnapping” attack work requires no permissions.

top 10 comments
sorted by: hot top controversial new old
[–] Creat@discuss.tchncs.de 13 points 6 months ago

The attack seems similar to sidechannel attacks for CPUs, where you'd essentially read protected memory by observing side effects. Same idea but with pixels sent to the display.

[–] FishFace@lemmy.world 5 points 6 months ago (1 children)

Interesting. I wonder what it is that causes the render times to be different and how much noise there is. Maybe the solution will be to worsen timer accuracy!

[–] majster@lemmy.zip 3 points 6 months ago

they did something similar with JS timers in browsers iirc

[–] limerod@reddthat.com 2 points 6 months ago

Here I thought not giving accessibility permission, draw over apps permission among others meant I was safe.

Guess, there's always something on the corner. More infuriating, this was disclosed in February and google has yet to completely fix the issue. I doubt I would be getting a proper fix any time sooner than march at this pace.

[–] crazyminner@lemmy.ml 2 points 6 months ago (1 children)

Not ones that use keys. Just shut off your data and wifi then plug in the key and get the code and then remove the key and you're good to go.

[–] limerod@reddthat.com 5 points 6 months ago (1 children)

Not all banks and website support physical key authentication. Besides, those keys can also be vulnerable. Yubikeys and others were vulnerable to a side channel attack and you had to buy new keys since you cannot patch hardware.

The only saving grace was an Attacker needed physical access to attempt that. But, yes in general can be more secure.

[–] crazyminner@lemmy.ml 2 points 6 months ago

Keys can generate TOTP codes that most if not all services that support 2FA/MFA use.

You just scan the QR or enter the code with the key plugged in and it adds it.