Google pays researcher $70,000 for discovering simple Android lock screen bypass bug

What just happened? If you're looking for a way to make a lot of money very quickly, you could try to find a security vulnerability and claim the bug bounty reward. One researcher received a $70,000 payout from Google after he discovered a way to unlock Android phones without a passcode, and he did it by accident.

Hungary-based researcher David Schütz reported the high-severity bug, tracked as CVE-2022-20465, which is described as a lock screen bypass due to a logic error in the code that could lead to local escalation of privilege with no additional execution privileges needed.

Although the exploit does require an Android device to be in the attacker's possession, it's an effective way of circumventing a screen lock secured by a PIN, shape, password, fingerprint, or face. Schütz discovered the flaw after he had been traveling for 24 hours and his Pixel 6 died while he was sending a series of text messages.

After connecting the charger and rebooting the device, the Pixel asked for the SIM's PIN code, which is separate from the lock screen code; it's designed to stop someone from physically stealing your SIM and using it. Schütz couldn't remember his code, causing the SIM to lock after he entered three incorrect numbers.

The only way to reset the locked SIM is to use the personal unlocking code, or PUK. These are often printed on the SIM card's packaging or can be obtained by calling a carrier's customer support. Schütz used the former, allowing him to reset the PIN. But instead of seeing a request for a lock screen password, the Pixel only asked for a fingerprint scan; Android devices ask for passwords/PINS after a reboot for security reasons.

Schütz experimented with this anomaly. Eventually, he found that reproducing these actions without rebooting the device enabled a full lock screen bypass---not even a fingerprint was required. You can see the process in action above.

Schütz says the process worked on his Pixel 6 and Pixel 5. Google fixed it in the latest Android update on November 5, but criminals could have exploited it for at least six months. All devices running Android 10 through Android 13 that haven't updated to the November 2022 patch are still vulnerable.

Google can pay up to $100,000 to those who report lock screen bypass bugs. Schütz received the lesser sum of $70,000 because someone had already reported the one he discovered, but Google could not reproduce it.