SECURITY FLAW! Google Voice Actions usable on lock screen!

barakaspeed

New Member
Joined
Jan 18, 2010
Messages
20
Reaction score
0
I just noticed today accidentally that you can press and hold the search button on the lock screen and perform anything Google Voice Actions is capable of. I am using a Droid 2 unrooted. This may affect the Droid X as well.

This is a huge security flaw in Motorola's modified pattern/PIN lock screen. Hopefully this thread garnishes enough attention so that this can be patched soon!


Steps to reproduce:

1. Lock your screen
2. Press and hold the search button "magnifying glass"
3. Speak any voice action and the phone will respond. Note: you will not get any visual or audible cues that it is working, but it is!
 
Last edited:
If you whisper sweet nothings to it will it light the LED red as if its' blushing?
 
If you whisper sweet nothings to it will it light the LED red as if its' blushing?

Only if they're really dirty sweet nothings.

Interesting, will try this in a little bit. Is it possible this was intended? The lock screen is not a true security layer without additional settings activated anyways, right? I have not set up a passcode or 'tic-tac-toe' style unlocker yet.
 
Today, we install application that we grant access to our personal contact and other stuff in the phone. I am not sure if this is a concern to me.

Sent from my DROIDX using Tapatalk
 
its true. If you unlock the screen after you try it, the "speak now" screen will be open.

I don't know if i care, honestly.

This may actually be a useful feature when driving or something.

I hope this 'feature' is actually a bug and gets squashed. I feel a lock screen is just that, a locking mechanism designed to prevent unauthorized access to any level of functionality of the phone that has the potential to incur charges and/or fraud.
 
Clarify what you mean by "lock screen."

Do you mean the slide to unlock lock screen that always appears?

Or do you mean this works when the D2 has been locked using a pattern or PIN lock set up in settings>Location and Security.

If the former, this is a non-issue, as the standard lock screen has no security whatsoever.

If you mean the pattern/PIN lock screen, then this is a real security flaw.
 
Clarify what you mean by "lock screen."

Do you mean the slide to unlock lock screen that always appears?

Or do you mean this works when the D2 has been locked using a pattern or PIN lock set up in settings>Location and Security.

If the former, this is a non-issue, as the standard lock screen has no security whatsoever.

If you mean the pattern/PIN lock screen, then this is a real security flaw.

Happens in both scenarios. This is why I'm posting so the word can get out.
 
When we say Google Voice Actions, are we referring to the stock "Voice Commands" app that comes with the D2?
 
When we say Google Voice Actions, are we referring to the stock "Voice Commands" app that comes with the D2?

No, this is the Google Search app, that can be downloaded from the market place. It adds new functionality, called Google Voice Actions. You can trigger it by press and holding the magnifying glass.

See:
Voice Actions for Android
 
No, this is the Google Search app, that can be downloaded from the market place. It adds new functionality, called Google Voice Actions. You can trigger it by press and holding the magnifying glass.

See:
Voice Actions for Android

Gotcha.

I tried this on my rooted D2 (no custom ROM tho) with the default "Voice Commands" stock app and it is not affected by this bug.

So the workaround would be to uninstall Voice Actions until a fix is available.

Good catch! This is a serious bug.
 
No, this is the Google Search app, that can be downloaded from the market place. It adds new functionality, called Google Voice Actions. You can trigger it by press and holding the magnifying glass.

See:
Voice Actions for Android

Gotcha.

I tried this on my rooted D2 (no custom ROM tho) with the default "Voice Commands" stock app and it is not affected by this bug.

So the workaround would be to uninstall Voice Actions until a fix is available.

Good catch! This is a serious bug.

It's not the default "Voice Commands" app, but the google voice search (actions) that gets invoked by press and holding the magnifying glass.
 
It's not the default "Voice Commands" app, but the google voice search (actions) that gets invoked by press and holding the magnifying glass.

Right right, I got off track with the Voice Commands thing. That bugger ain't what we're interested in.

One bit I'm still trying to understand, though. Is this an issue on a stock D2 (without any extra apps installed) or do you have to download some extra component to be vulnerable?
 
It's not the default "Voice Commands" app, but the google voice search (actions) that gets invoked by press and holding the magnifying glass.

Right right, I got off track with the Voice Commands thing. That bugger ain't what we're interested in.

One bit I'm still trying to understand, though. Is this an issue on a stock D2 (without any extra apps installed) or do you have to download some extra component to be vulnerable?

Good question. I quickly removed the latest update to Google Search and my D2 reverted back to the stock version of Google Search. The issue still exists.

I don't believe this to be an issue with Google Search, rather with Motorola's Lock Screen implementation that doesn't prohibit the magnifying glass button.
 
Back
Top