David Schtz, a bug hunter, discovered a way to gain access to a phone without a password, which may affect other phones as well.
The vulnerability can be exploited by using a different card. A hacker with physical access to a phone would cause the phone's fingerprints to be disabled.
A hacker would take the original sim card and use it to make their own. They would have to use the wrong PIN to get the foreign sim unlocked.
The hacker would know that the phone is asking for the PUK code since they've placed their own sim in it. The phone opens to the home screen when you input it.
Schtz says he was able to duplicate this multiple times, both on a fully updatedPixel 6 and an olderPixel 5.
Schtz said in the post that his hands were shaking. What the f**k? Is it possible that it unlocked itself.
Immediately, Schtz sent in the report. He says that it was flagged by the search engine and that it was filed within 37 minutes. The quality began to decline after that.
He wrote that there was a month of silence after it was taken care of.
Schtz was told that he wouldn't get any reward money because the bug had already been reported by another person.
Schtz tried to reproduce the bug again two months after the September security update, despite no follow up from the search engine. It continued to work. Schtz decided to show the vulnerability to the engineers. They finally paid attention to that.
Schtz said that they noticed after he started screaming.
His persistence earned him a reward of $70,000, with a fix now reflected in the company's source code, but if you ask us, he should've got the full $100,000 grand.
Engineers Joked about how incognito mode is not very incognito.