Android 10 "add users from lock screen" issue
On my Pixel 3 XL with new Android 10, even with "add users from lock screen" disabled, I discovered that I could reliably create a new user from the lock screen (swipe down the top menu, select blue user icon, and the "Add user" plus-sign icon is available).
I've posted this publicly - at first because I thought I must be mistaken, but then expanded later because the issue is not exploitable remotely, can only be carried out after authorized-equivalent access to the device has been achieved, is trivial to recreate with normal UI interaction, and would very likely have been disclosed by others in the very short term.
- This issue was discovered on September 3, 2019
- This issue was assigned CVE-2019-2233 (NVD, CVE)
- This issue was addressed in the November 2019 Android Security Update
- The issue was patched with this patch
- The issue only applied when unlocking the phone with fingerprint
Steps to recreate
- Settings -> System -> Advanced -> Multiple Users (enable this)
- Disable "Add users from lock screen"
- Lock device, and confirm it's locked by trying a non-instant unlocking activity (like swiping)
- Drag down the top menu
- Select "Add user" (if this does not appear, unlock device, lock device, verify lock, and try again)
Disable the "multiple users" feature in Android (thanks to @raulsiles for the nudge!)
It may not manifest immediately after setting, and also does not manifest immediately after reboot; locking, unlocking, locking, and then testing again appears to invoke the symptom.
I have my device set to lock immediately when the power button is pressed, which I can confirm by making sure that I'm prompted for fingerprint/password when trying to unlock. Under those circumstances, I am still able to add a new user, even with "add users from lock screen" disabled. I'm also not using Smart Lock.
(Only the first few seconds actually matter): https://www.youtube.com/watch?v=E3JYZvDaHww
As shown in the video, the "Add users from lock screen" is disabled, and the screen is visibly locked (padlock at the top of the screen).
Android issue (not yet public)
Confirmations by model
Many 10-eligible devices (2016-) in the Pixel family seems to be affected. Still looking for confirmation from other families.
Pixel 1 (sailfish) - confirmed
Pixel 1 XL (marlin) - ?
Pixel 2 (walleye) - confirmed
Pixel 2 XL (taimen) - confirmed
Pixel 3 (blueline) - confirmed
Pixel 3 XL (crosshatch) - confirmed (my device)
Pixel 3a (sargo) - ?
Pixel 3a XL (bonito) - ?
Pixel Slate (?) - ?(runs Chrome OS)
Essential Phone PH-1 - confirmed (one private report)
Redmi K20 Pro - ?
(But at this point, it appears to be likely that it is an Android-10-wide issue)
- https://twitter.com/ChadBrubaker5/status/1169127930376704002 (Chad is on the Android Platform Security team)
- https://twitter.com/rene_mobile/status/1169487854789152768 (Confirmed by Rene Mayrhofer, director of the Android Platform Security team)
- Initial tweet: https://twitter.com/TychoTithonus/status/1169077924604964864
- Reddit /r/GooglePixel post: https://www.reddit.com/r/GooglePixel/comments/czlxsd/android_10_add_users_from_lock_screen_issue/
- Essential Phone and Xiaomi’s Redmi K20 Pro get day-one Android 10 updates
- Google Pixel (Wikipedia) - includes list of devices and release dates
- Full OTA images for Nexus and Pixel devices - where I got the list of device internal codenames
- @adam-p's Markdown cheatsheet ;)