- I-Pixnapping ingantshontsha amakhodi e-2FA nenye idatha esesikrinini ngaphansi kwamasekhondi angu-30 ngaphandle kwemvume.
- Isebenza ngokusebenzisa kabi ama-API e-Android kanye nesiteshi eseceleni se-GPU ukuze siqonde amaphikseli avela kwezinye izinhlelo zokusebenza.
- Ihlolwe ku-Pixel 6-9 naku-Galaxy S25; isiqephu sokuqala (CVE-2025-48561) asivimbeli ngokugcwele.
- Kunconywa ukusebenzisa i-FIDO2/WebAuthn, unciphise idatha ebucayi esikrinini, futhi ugweme izinhlelo zokusebenza emithonjeni engabazisayo.
Ithimba labacwaningi lidalule I-Pixnapping, eyodwa Isu lokuhlasela ngokumelene namafoni e-Android akwazi ukuthwebula okuboniswa esikrinini futhi akhiphe idatha eyimfihlo njengamakhodi e-2FA, imilayezo noma izindawo ngemizuzwana nje futhi ngaphandle kokucela imvume.
Okubalulekile wukuhlukumeza ama-API esistimu athile kanye a Isiteshi eseceleni se-GPU ukuthola okuqukethwe kwamaphikseli owabonayo; inqubo ayibonakali futhi iyasebenza inqobo nje uma ulwazi luhlala lubonakala, ngenkathi Izimfihlo ezingaboniswa esikrinini azikwazi ukuntshontshwa. I-Google yethule ukuncishiswa okuhambisana nakho I-CVE-2025-48561, kodwa ababhali bokutholwa babonise izindlela zokubalekela, futhi ukuqiniswa okwengeziwe kulindeleke kumbiko wokuphepha we-Android kaDisemba.
Kuyini i-Pixnapping futhi kungani ikhathaza?
Igama ihlanganisa "i-pixel" kanye "nokuthumba" ngoba ukuhlasela ngokoqobo kwenza a "ukudunwa kwe-pixel" ukwakha kabusha ulwazi oluvela kwezinye izinhlelo zokusebenza. Iwukuvela kwamasu esiteshi eseceleni asetshenziswa eminyakeni edlule kuziphequluli, manje esezijwayelwe ku-ecosystem yesimanje ye-Android ngokusebenza okushelelayo, nokuthule.
Njengoba ingadingi izimvume ezikhethekile, I-Pixnapping igwema ukuzivikela okusekelwe kumodeli yemvume kanye isebenza cishe ngokungabonakali, okwandisa ubungozi kubasebenzisi nezinkampani ezithembele ingxenye yokuphepha kwazo kulokho okubonakala ngokushesha esikrinini.
Ukuhlasela kwenziwa kanjani
Ngokuvamile, uhlelo lokusebenza olunonya luhlela a imisebenzi eyelelene futhi ivumelanise ukunikezwa ukuze kuhlukaniswe izindawo ezithile zokusebenzelana lapho idatha ebucayi iboniswa khona; bese isebenzisa umehluko wesikhathi lapho icubungula amaphikseli ukuze iveze inani lawo (bona ukuthi kanjani Amaphrofayili wamandla athinta i-FPS).
- Ibangela uhlelo lokusebenza oluqondiwe ukuthi lubonise idatha (isibonelo, ikhodi ye-2FA noma umbhalo obucayi).
- Ifihla yonke into ngaphandle kwendawo enentshisekelo futhi iguqule uhlaka lokunikezwayo ukuze iphikseli eyodwa "ilawule."
- Ihumusha izikhathi zokucubungula ze-GPU (isb. uhlobo lwe-GPU.zip phenomenon) futhi akhe kabusha okuqukethwe.
Ngokuphindaphinda nokuvumelanisa, uhlelo olungayilungele ikhompuyutha luthola izinhlamvu futhi luphinde luzihlanganise zisebenzisa Amasu we-OCRIwindi lesikhathi likhawulela ukuhlasela, kodwa uma idatha ihlala ibonakala imizuzwana embalwa, ukutakula kungenzeka.
Ububanzi namadivayisi athintekile
Izifundiswa zaqinisekisa le nqubo ku I-Google Pixel 6, 7, 8 kanye ne-9 futhi ku Samsung Galaxy S25, ngezinguqulo ze-Android 13 kuya ku-16. Njengoba ama-API axhashaziwe etholakala kabanzi, axwayisa ngokuthi “cishe wonke ama-Android esimanje” kungaba sengozini.
Ekuhlolweni okunamakhodi e-TOTP, ukuhlasela kubuyise yonke ikhodi ngezilinganiso ezicishe zibe 73%, 53%, 29% kanye 53% ku-Pixel 6, 7, 8 kanye no-9, ngokulandelana, futhi ngokwesilinganiso izikhathi ezisondele 14,3s; 25,8s; 24,9 kanye 25,3s, okukuvumela ukuthi ufike ngaphambi kokuphelelwa yisikhathi kwamakhodi esikhashana.
Iyiphi idatha engawa
Ngaphezu kwalokho amakhodi okuqinisekisa (Isiqinisekisi se-Google), abacwaningi babonise ukutholwa kolwazi oluvela kumasevisi afana ne-Gmail nama-akhawunti e-Google, izinhlelo zokusebenza zemiyalezo ezifana ne-Signal, izinkundla zezimali ezifana ne-Venmo noma idatha yendawo evela ku- I-google maps, phakathi kwabanye.
Baphinde bakuxwayise mayelana nedatha ehlala esikrinini isikhathi eside, njenge imishwana yokubuyisela isikhwama noma okhiye besikhathi esisodwa; nokho, izakhi ezigciniwe kodwa ezingabonakali (isb., ukhiye oyimfihlo ongakaze uboniswe) zingaphezu kobubanzi be-Pixnapping.
I-Google Response kanye ne-Patch Status
Okutholiwe kwaziswa kusengaphambili i-Google, eyalebula inkinga njengobucayi obukhulu futhi yashicilela ukuncishiswa kokuqala okuhlobene I-CVE-2025-48561Nokho, abacwaningi bathola izindlela zokuyigwema, ngakho Isiqephu esengeziwe sithenjisiwe ephephandabeni likaDisemba futhi ukuxhumana ne-Google ne-Samsung kuyagcinwa.
Isimo samanje siphakamisa ukuthi ukuvimba okuqondile kuzodinga ukubuyekezwa kokuthi i-Android iphatha kanjani ukunikeza nokumbondela phakathi kwezinhlelo zokusebenza, njengoba ukuhlasela kusebenzisa ngokunembile lezo zindlela zangaphakathi.
Izinyathelo zokunciphisa ezinconyiwe
Kubasebenzisi bokugcina, kuhle ukunciphisa ukuvezwa kwedatha ebucayi esikrinini futhi ukhethe ukufakazela ubuqiniso obumelana nobugebengu bokweba imininingwane ebucayi kanye neziteshi eziseceleni, ezifana I-FIDO2/WebAuthn enokhiye bokuqinisekisa ubunikazi, ukugwema ukuncika ngokukhethekile kumakhodi e-TOTP noma nini lapho kunokwenzeka.
- Gcina idivayisi yakho isesikhathini samanje futhi usebenzise izaziso zokuvikela ngokushesha nje lapho zitholakala.
- Gwema ukufaka izinhlelo zokusebenza kusuka imithombo engaqinisekisiwe futhi ubuyekeze izimvume nokuziphatha okuxakile.
- Ungagcini imisho yokutakula noma iziqinisekiso zibonakala; khetha hardware wallets ukugada okhiye.
- Khiya isikrini ngokushesha futhi ubeke umkhawulo ekubukeni kuqala kokuqukethwe okubucayi.
Okwamathimba omkhiqizo nentuthuko, sekuyisikhathi sokuthi buyekeza ukugeleza kokuqinisekisa futhi unciphise indawo yokuchayeka: nciphisa umbhalo oyimfihlo esikrinini, wethula ukuvikela okwengeziwe ekubukeni okubalulekile futhi uhlole ukushintshela ku izindlela ezingenayo ikhodi i-hardware-based.
Nakuba ukuhlasela kudinga ukuthi ulwazi lubonakale, amandla alo okusebenza ngaphandle kwemvume futhi ngaphansi kwesigamu somzuzu ikwenza kube usongo olukhulu: indlela yesiteshi eseceleni esizakala Izikhathi zokunikezela ze-GPU ukufunda okubonayo esikrinini, ngokuncishiswa okuncane namuhla kanye nokulungiswa okujulile okulindile.
Ngingumshisekeli wezobuchwepheshe oguqule izintshisekelo zakhe "ze-geek" zaba umsebenzi. Ngichithe iminyaka engaphezu kwengu-10 yempilo yami ngisebenzisa ubuchwepheshe obusezingeni eliphezulu kanye nokukitaza ngazo zonke izinhlobo zezinhlelo ngenxa yelukuluku lokufuna ukwazi. Manje sengiqeqeshelwe ubuchwepheshe be-computer nemidlalo yama-video. Lokhu kungenxa yokuthi sekuphele iminyaka engaphezu kwengu-5 ngisebenza ngokubhalela amawebhusayithi ahlukahlukene ezobuchwepheshe nemidlalo yevidiyo, ngenza izindatshana ezifuna ukukunikeza imininingwane oyidingayo ngolimi oluqondakala yiwo wonke umuntu.
Uma unemibuzo, ulwazi lwami lusukela kuyo yonke into ehlobene nesistimu yokusebenza ye-Windows kanye ne-Android yomakhalekhukhwini. Futhi ukuzibophezela kwami kuwe, ngihlala ngizimisele ukuchitha amaminithi ambalwa futhi ngikusize uxazulule noma yimiphi imibuzo ongase ube nayo kulo mhlaba we-inthanethi.