Things were a bit different with Android this time, likely due to a functionality vs security trade-off that made it harder to address the issue in AOSP. Going forward, we'll continue reporting to Google but jointly disclose to GrapheneOS for any future Android-related issues.

Completely agree. For context on our disclosure policy: we usually report issues to upstream first so that other vendors or projects can automatically benefit from the fix. This process has worked well so far with browser vendors. The Chrome team in particular has always been extremely responsive.

By scanning the QR code you win a free color blindness test

And shoutout to my girlfriend for lending a hand - literally - for the photo! 💅

Congrats to my co-lecturers @mautem.bsky.social, @matteomaffei.bsky.social, @wert310.bsky.social, Pedro Bernardo, @beerphilipp.bsky.social, Simon Jeanteur and our amazing tutors: this wouldn't be possible without you.

And thanks to all students for the great feedback and participation 🙏

ublock origin lite works quite well on Chrome (but please people keep using Firefox)

This effort is the result of a collab w Sebastian Roth, @lindorfer.in and @beerphilipp.bsky.social who discovered the issue & did the heavy lifting. Thanks to @wwtf.at for making this research possible and supporting us ♥️

See you at #USENIX in Seattle next month!

@tuwien.at @cysecwien.bsky.social

It works on Android 15 & 16, while @grapheneos.org issued a fix. Major browsers such as Chrome and Firefox promptly patched after we disclosed the vulnerability. We analyzed ~100K Play Store apps finding that TapTrap is not currently being exploited in the wild.

Unlike classic tapjacking, TapTrap uses Android's built-in activity transition animations to launch a transparent activity on top of the attacker's app. The user thinks they're tapping a harmless button, but the tap goes to a permission/system prompt, a browser, or a sensitive app without notice.