On my Pixel 3 XL with new Android 10, even with "add users from lock screen" disabled, I discovered that I could reliably create a new user from the lock screen (swipe down the top menu, select blue user icon, and the "Add user" plus-sign icon is available).
I've posted this publicly - at first because I thought I must be mistaken, but then expanded later because the issue is not exploitable remotely, can only be carried out after authorized-equivalent access to the device has been achieved, is trivial to recreate with normal UI interaction, and would very likely have been disclosed by others in the very short term.
- This issue was discovered on September 3, 2019
- This issue was assigned CVE-2019-2233 (NVD, CVE)
- This issue was addressed in the November 2019 Android Security Update
- The issue was patched with this patch
- The issue only applied when unlocking the phone with fingerprint
- Settings -> System -> Advanced -> Multiple Users (enable this)
- Disable "Add users from lock screen"
- Lock device, and confirm it's locked by trying a non-instant unlocking activity (like swiping)
- Drag down the top menu
- Select "Add user" (if this does not appear, unlock device, lock device, verify lock, and try again)
Disable the "multiple users" feature in Android (thanks to @raulsiles for the nudge!)
-
It may not manifest immediately after setting, and also does not manifest immediately after reboot; locking, unlocking, locking, and then testing again appears to invoke the symptom.
-
I have my device set to lock immediately when the power button is pressed, which I can confirm by making sure that I'm prompted for fingerprint/password when trying to unlock. Under those circumstances, I am still able to add a new user, even with "add users from lock screen" disabled. I'm also not using Smart Lock.
(Only the first few seconds actually matter): https://www.youtube.com/watch?v=E3JYZvDaHww
As shown in the video, the "Add users from lock screen" is disabled, and the screen is visibly locked (padlock at the top of the screen).
https://issuetracker.google.com/issues/140447135
Many 10-eligible devices (2016-) in the Pixel family seems to be affected. Still looking for confirmation from other families.
-
Pixel 1 (sailfish) - confirmed
-
Pixel 1 XL (marlin) - ?
-
Pixel 2 (walleye) - confirmed
-
Pixel 2 XL (taimen) - confirmed
-
Pixel 3 (blueline) - confirmed
-
Pixel 3 XL (crosshatch) - confirmed (my device)
-
Pixel 3a (sargo) - ?
-
Pixel 3a XL (bonito) - ?
-
Pixel Slate (?) - ?(runs Chrome OS) -
Essential Phone PH-1 - confirmed (one private report)
-
Redmi K20 Pro - ?
(But at this point, it appears to be likely that it is an Android-10-wide issue)
- https://twitter.com/MetalPlates/status/1169080091583737857
- https://twitter.com/winxp5421/status/1169099876455591936
- https://twitter.com/ChadBrubaker5/status/1169127930376704002 (Chad is on the Android Platform Security team)
- https://twitter.com/rene_mobile/status/1169487854789152768 (Confirmed by Rene Mayrhofer, director of the Android Platform Security team)
- Initial tweet: https://twitter.com/TychoTithonus/status/1169077924604964864
- Reddit /r/GooglePixel post: https://www.reddit.com/r/GooglePixel/comments/czlxsd/android_10_add_users_from_lock_screen_issue/
- Essential Phone and Xiaomi’s Redmi K20 Pro get day-one Android 10 updates
- Google Pixel (Wikipedia) - includes list of devices and release dates
- Full OTA images for Nexus and Pixel devices - where I got the list of device internal codenames
- @adam-p's Markdown cheatsheet ;)