11 comments

[ 1.6 ms ] story [ 40.6 ms ] thread
You did get your bounty for finding the bug I presume?
Otherwise he might have passed on ~$20k. Maybe he just didn't care.
No mention of Responsible Disclosure .... really hope that was done!
(comment deleted)
If you really did find all of these vulnerabilities, you could potentially earn a lot of money by submitting them to Google's bug bounty program.
(comment deleted)
It's actually mentioned at the bottom of the article:

  Timeline:
  December 2, 2014 — Reported the vulnerability to the Android security, @natashenka confirmed the repro works
  January 6, 2015 — Response form Android security saying that the fix was pushed in mid-December, I checked that the repro stopped working on all my phones
  January 9, 2015 — Public disclosure
(comment deleted)
The PoC exploit fails on Android 5.0.1 with latest Google Play Services.
Not too surprising (but still reassuring), Play Services issues are by far the easiest thing to patch on Android.
Security needs to be considered here too... I hope they considered that.