Security flaw in Prime Exclusive Moto G5 allows access to anyone
There’s no doubt in many people’s minds that the Amazon Prime exclusive version of certain smartphones offers a pretty good bargain — but it has been reported that a security flaw is affecting its Moto G5 version.
If you’re already an Amazon Prime member (or have access to the free trial), then you have the option of picking up certain mobile phones with a hefty discount on the recommended retail price. What’s the catch? You have to deal with lockscreen ads and “offers” from Amazon. So if you can live with your recent Amazon searches popping up on your lockscreen when you use your phone, then you’ve got a bargain.
That’s the way it is with the Moto G5, which can be picked up for just $240 with Amazon’s Prime Exclusive deal, a bargain for most. However, some users have noticed that Amazon’s lockscreen ads have created a pretty significant security hole that means anyone can access your phone — even if you’ve enabled the fingerprint scanner.
Hey @amazon @MotorolaUS. I found a security flaw in my Amazon motot g5. Hit fingerprint sensor (it says fingerprint not recognized), then press power button, then click view ad on the lockscreen. This gives you 100% access to the phone. pic.twitter.com/eqLWLn34pD
— Jaraszski Colliefox (@jaraszski) January 22, 2018
In the example above, one Twitter user shows how his Moto G5 can be accessed by tapping on a lockscreen ad after the phone’s screen is awoken. The ad then bypasses the fingerprint scanner, taking him straight to the ad’s target page. From there, accessing the device’s home page — and the rest of the phone’s info, pictures, and personal data — is as simple as hitting the home button at the bottom of the screen.
Reddit users on /r/Android were quick to try and replicate the flaw, and it was discovered that Moto Display needed to be turned on, and the flaw doesn’t replicate if the phone has been turned off for a significant amount of time. The description of a replication video says that duration is around 30 seconds, which doesn’t sound too bad until you realise that’s 30 seconds during which anyone can access your phone. There’s some paranoia fuel for you right there.
At this moment, it seems that other Prime Exclusive phones are immune to the bug. Android Police has reported that its Prime Exclusive Nokia 8 can’t be accessed in the same way, so the flaw is likely rooted in some of Motorola’s software on the Moto G5 and G5 Plus.
We contacted Motorola to find out when a fix is likely. Motorola’s Support page said “our developer is currently coordinating with the developer from Google to address this issue.” While Motorola wasn’t willing to share a timeline on the fix, it said that it would be keeping members of the Motorola Community forum updated, and that a fix would be published on the Motorola website as soon as it was ready.