"Pixnapping" rendering side channel attack

BuffaloStance

Switching profiles and then back again in time to input the code would be cumbersome at best.

chinook

Switching profiles and then back again in time to input the code would be cumbersome at best

I will break in many cases.

I actually have something similar right now with purchases with Revolut card -- I CANNOT make a purchase from my main profile, because when I'm challenged to confirm the transaction in app I switch the profile, open app, approve the purchase in app, switch back, open the browser, but... the purchase page has already been killed/cancelled/whatever.
Always failure.
I actually did the test with other apps - purchase with Credit Card (two different providers) - one sends codes over sms, another displays code in app -- in both cases an attempt to purchase will ALWAYS fail when I switch to the second profile.

(thankfully I have SMS available in my main profile, but here we are).

Switching profiles and then back again [...]

Is a broken workflow idea.

Watermelon

GrapheneOS Watermelon CVE-2025-48561 is listed as fixed in https://source.android.com/docs/security/bulletin/2025-09-01 and subsequent patches for fixing additional issues not covered by that will not use the same CVE. The CVE refers to the specific patch they made in the September 2025 bulletin. There are separate CVEs for other fixes. If a patch only partially fixes an issue or doesn't fix it properly, they use additional CVEs for the additional patches. You're drawing an incorrect conclusion.

I didn't know the failed fix was already committed and part of the September bulletin. It sounded like it wasn't, so I didn't check it. Thanks

GrapheneOS

There are changes for it in the December 2025 bulletin which have been in our security preview releases since September 2025.

« Previous Page