Technology

Hackers can steal 2FA codes and private messages from Android phones

Source

Ars Technica

Published

Oct 13, 2025

TL;DR

AI Generated

A new attack called Pixnapping can steal 2FA codes, private messages, and other data from Android devices within 30 seconds. The attack requires a victim to install a malicious app that can read data displayed on the screen without system permissions. Google Pixel and Samsung Galaxy S25 phones have been demonstrated to be vulnerable, with potential for other models. Google released mitigations, but a modified version of the attack can still work even with the update installed. Pixnapping works by manipulating pixels on the screen to extract sensitive information from targeted apps.

Read Full Article

The most severe Linux threat to surface in years catches the world flat-footed

A critical Linux vulnerability, named CopyFail (CVE-2026-31431), has been disclosed by security researchers, allowing unprivileged users to gain root access across various Linux distributions. The exploit code, released by Theori, works universally without modification, posing a significant threat to data centers and personal devices. While the Linux kernel security team patched the vulnerability in several versions, many distributions had not yet implemented the fixes at the time of the exploit's release. This flaw enables attackers to execute malicious activities like hacking multi-tenant systems and creating backdoors, emphasizing the severity of the issue.

Ars Technica•

20 hours ago

Open source package with 1 million monthly downloads stole user credentials

A widely used open source package with 1 million monthly downloads was compromised by threat actors exploiting a vulnerability in the developers’ account workflow, granting access to sensitive information. The malicious package, element-data 0.23.3, was distributed to users, collecting user credentials, API tokens, and more. Users who installed this version are advised to consider their credentials compromised. The attackers gained access through a GitHub action, allowing them to publish the malicious package. The developers swiftly removed the package, rotated credentials, and fixed the vulnerability.

Ars Technica•

3 days ago

Google Cloud customer wakes up to $18,000+ bill despite $7 budget, thanks to forgotten API key in published project — attacker put in 60,000+ requests and blasted through $1,400 spending cap

An Australia-based AI consultant woke up to an $18,000+ Google Cloud bill despite having a $7 budget, due to an attacker exploiting a forgotten API key in a published project. The attacker made over 60,000 requests, surpassing the spending cap. Despite following security practices, a single vulnerability led to the breach. Google automatically upgraded the account tier without notification, allowing for higher spending limits. The user's bank credited back the charges, but the incident highlights risks associated with Google Cloud's API key format.

Tom's Hardware•

1 week ago

Anthropic's Model Context Protocol includes a critical remote code execution vulnerability — newly discovered exploit puts 200,000 AI servers at risk

Security researchers discovered a critical remote code execution vulnerability in Anthropic's Model Context Protocol (MCP), affecting SDKs in Python, TypeScript, Java, and Rust. This flaw puts up to 200,000 AI servers at risk across a supply chain with over 150 million downloads. Despite the exposure, Anthropic has declined to patch the protocol, stating that the behavior was expected. OX Security's research team identified multiple exploitation methods and recommended protocol-level fixes to Anthropic, which were reportedly declined. The vulnerability comes shortly after Anthropic launched Claude Mythos, a model aimed at identifying security vulnerabilities in other software, prompting calls for the company to address its own infrastructure vulnerabilities.