The third step in a new attack method tracks how long it takes to gather data at each coordinate. By adding up these times, an attacker can reconstruct the images sent to the rendering pipeline, pixel by pixel.
How long this process takes varies. Sometimes, attackers don’t have a strict deadline to get the information they want. But during cases like stealing a two-factor authentication (2FA) code, every second matters. A 2FA code is typically valid for just 30 seconds. The researchers note:
“To meet the tight 30-second window, we cut down the number of samples per pixel to 16, compared to the 34 or 64 used in past methods. We also reduced the idle time between leaks from 1.5 seconds to just 70 milliseconds. This gives us the full 30 seconds to extract the 2FA code by waiting for the start of a new time interval.”
Using their method, they were able to leak 100 different 2FA codes from Google Authenticator on several Google Pixel phones. The success rates were notable: 73% for the Pixel 6, 53% for the Pixel 7, and 29% and 53% for the Pixel 8 and 9, respectively. It took an average of about 14.3 to 25.8 seconds to recover each code. On the Samsung Galaxy S25, however, the attack struggled due to excessive noise, highlighting the need for further research to refine the method.
A Google representative commented, “We released a patch for CVE-2025-48561 in September and another one will come in December. There’s no evidence that this vulnerability has been exploited in the wild.”
This research, known as “pixnapping,” sheds light on the gaps in Google’s security measures, particularly the claim that one app can’t access another’s data. However, carrying out such complex attacks in real-world situations may be much harder than it seems.
Interestingly, in today’s digital landscape, some teens have managed to steal sensitive information from large companies using simple tactics, showing that sometimes straightforward methods can be more effective than complicated ones.
This trending concern about online security reflects a broader issue. According to a recent survey by IBM, the average cost of a data breach in 2023 was about $4.45 million. With the rise in cyberattacks, companies need to stay vigilant and continuously update their security protocols. As online threats evolve, so must our defenses.
For more on this, you can check out IBM’s cybersecurity report here: IBM Data Breach Report.
