Today, Project Zero released a 0-click exploit chain for the Pixel 9.
Uncategorized
27
Posts
17
Posters
22
Views
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
@natashenka There always seems to be so much pushback on removing functionality. While turning it into a 1-click would help some (especially if the sender isn't in your contacts!), I'd be more curious to see if it could be very tightly sandboxed. (And if not... why not? Tight sandboxing of media libraries with limited kernel attack surface seems like a platform primitive that is broadly useful.) Or cross compiled to wasm - performance of an edge case scenario shouldn't be a concern.
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka Can the Google Messages audio-parsing feature that is causing this be disabled? I did not consent to any "AI"/semantic content introspection being done by Google on ANYTHING on my phone, and have been trying to disable all such features as I find them (but of course software vendors constantly adding more such features and they are always on by default)
-
We hope this flag makes it out of Clang experimental, and more vendors start using it!
@natashenka That feels a lot like Microsoft's SAL: https://learn.microsoft.com/en-us/cpp/code-quality/using-sal-annotations-to-reduce-c-cpp-code-defects?view=msvc-170. The big question is, how do we ensure portability to multiple compilers. Could we standardize that, please?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
-
Attack surface reduction is also important— the UDC is largely used by commercial media like TV shows, most devices don’t even have an encoder.
Does it really need to be 0-click?
@natashenka I don't know that a single click matters, unless you design it well. See also https://infosec.exchange/@adamshostack/115884932482637376
-
@natashenka wait, it transcribes them *by default* in the background? if so, that is an absolutely ridiculous attack surface to expose.
@gsuberland @natashenka IIRC that was already the case with Stagefright, which was also very similar in that it targeted media libraries involved in MMS
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka using of #grapheneos on our pixel phone is a workaround / solution - right? 🤔😉
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@GrapheneOS Would this exploit have been possible on GrapheneOS?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka breaking out of the decoder is cooked, but I guess this one doesn't integrate into the hardware that much? or does it
-
@GrapheneOS Would this exploit have been possible on GrapheneOS?
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka a-bloody-mazing ! Thanks for the hard work
-
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.
https://projectzero.google/2026/01/pixel-0-click-part-1.html
@natashenka@infosec.exchange Does it apply to other sms apps on a Pixel?
-
undefined oblomov@sociale.network shared this topic on
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@MissWarcraft @hpod16 the server you're on is currently the largest one on Mastodon, and thus probably the hardest one to moderate. When you have time, have a look at smaller servers - there are loads of them now - and pick one with a policy you like.
But Mastodon isn't really about hanging on your own server only. Use hashtags to find those conversations and users you want to follow. I rarely if ever look at the posts on my own server, let alone the global feed (or whatever it is called).
-
@stooovie @hpod16 To be clear: "W Social" isn't by the European Commission or the EU as a whole but by a startup and media platform called "We Don't Have Time".
-
@Daft_Freak thinking of finally ordering these now (obviously too late for FOSDEM...) you having fun with them? any preferences?
-
Another Drawing of Söa 🥰
-
@leavt 🥺 c'est tllmt chouette ton dessin je vais pleurer ;w;
-
@nelson Mastodon is developed in Germany, Peertube in France.
-
Art trade with my art pal @superturbomira !
Her character Söa with Jasper!
-
Cavatina - by Per Olov Kindgren
#musica
