Amazon has been running its Prime Exclusive program for some time now. Essentially, the company partners with phone manufacturers to offer noticeably lower prices on devices in exchange for preloaded Amazon apps and advertisements on the lock screen. However, it appears that these lockscreen ads have led to a security flaw on one Prime Exclusive device, the Moto G5 Plus.
Hey @amazon @MotorolaUS. I found a security flaw in my Amazon motot g5. Hit fingerprint sensor (it says fingerprint not recognized), then press power button, then click view ad on the lockscreen. This gives you 100% access to the phone. pic.twitter.com/eqLWLn34pD
— Jaraszski Colliefox (@jaraszski) January 22, 2018
We first learned of this issue by way of a video posted on Twitter, which showed a Prime Exclusive G5 Plus being unlocked without the owner's fingerprint being registered after a lockscreen ad was opened. The phone appears to completely unlock in order to open a linked web page in the ad, and pressing the home button reveals the user's home screen.
Initially, we thought that this might be user error, perhaps something with the auto lock settings, but that was disproven with a shot of the auto lock settings in a second video (posted above). That being said, there have also been several owners who haven't been able to replicate the security flaw, though this could simply be due to differing settings.
Instructions to reproduce the issue.
For the flaw to do its magic, it seems like Moto Display must be turned on. It was also noted that the phone doesn't let you back in if you leave it locked for a certain length of time (the YouTube video's description says around 30 seconds). In any case, this is still a security flaw.
We couldn't reproduce the same behavior on a Nokia 6 Prime Exclusive, so it seems like the issue is probably restricted to the G5 Plus. In the meantime, we've reached out to Amazon for comment. Let us know in the comments below if you have a Prime Exclusive phone of any kind, and if your phone is privy to the flaw via the instructions in the screenshot above.
As some of you have speculated, the issue is due to Smart Lock's on-body detection feature. The uploader of the YouTube video was unable to reproduce the flaw after turning on-body detection off. That being said, this isn't something that should be pre-enabled, so Motorola/Amazon aren't completely off the hook here.