Security on Alessandro Sangiorgi — GPU Performance Engineerhttps://contact.alessandrosangiorgi.net/tags/security/Recent content in Security on Alessandro Sangiorgi — GPU Performance EngineerHugoenSat, 18 Apr 2026 00:00:00 +0000FLAG_MUTABLE PendingIntent in DeviceAsWebcam Allows Foreground Activity Hijack via fillIn() Injectionhttps://contact.alessandrosangiorgi.net/posts/deviceaswebcam-flag-mutable-pendingintent-activity-hijack/Sat, 18 Apr 2026 00:00:00 +0000https://contact.alessandrosangiorgi.net/posts/deviceaswebcam-flag-mutable-pendingintent-activity-hijack/<p>I reported a vulnerability in AOSP&rsquo;s <code>DeviceAsWebcam</code> service where a <code>FLAG_MUTABLE</code> PendingIntent is used as the foreground notification&rsquo;s <code>contentIntent</code>. An attacker app with user-granted <code>NotificationListenerService</code> access can extract the PendingIntent, inject arbitrary intent fields via <code>fillIn()</code>, and force-launch the system-UID <code>DeviceAsWebcamPreview</code> activity in the foreground — overlapping whatever the user was doing. The report was submitted on <strong>March 19, 2026</strong>.</p> <h2 id="the-vulnerable-code">The Vulnerable Code</h2> <p>The vulnerability is in <a href="https://android.googlesource.com/platform/packages/services/DeviceAsWebcam/+/refs/heads/main/interface/src/com/android/deviceaswebcam/DeviceAsWebcamFgService.java#134"><code>DeviceAsWebcamFgService.java</code> (line 134)</a>. The preview activity intent is created with only the component set — no action, no data, no extras, no flags, no categories:</p>Blocking WiFi De-Auth Attacks in the Kernel with eBPF and XDPhttps://contact.alessandrosangiorgi.net/posts/ebpf-xdp-wifi-deauth-defense/Tue, 07 Apr 2026 00:00:00 +0000https://contact.alessandrosangiorgi.net/posts/ebpf-xdp-wifi-deauth-defense/<p>802.11 de-authentication attacks are one of the oldest and cheapest WiFi denial-of-service techniques. An attacker sends forged de-auth management frames to disconnect clients from an access point — <code>aireplay-ng</code> sends 128 per attack command (64 directed at the AP, 64 at the client). Despite being a known problem for over two decades, the main defense is still 802.11w (Protected Management Frames), which requires both AP and client support and still degrades under high-rate floods.</p>Intercepting Android's ManagedProvisioning: A PendingIntent Vulnerability in AOSPhttps://contact.alessandrosangiorgi.net/posts/managedprovisioning-pendingintent-vulnerability/Mon, 06 Apr 2026 00:00:00 +0000https://contact.alessandrosangiorgi.net/posts/managedprovisioning-pendingintent-vulnerability/<p>I found and reported a vulnerability in Android&rsquo;s <code>ManagedProvisioning</code> component — the system app responsible for setting up enterprise-managed (work) profiles. The bug allows any unprivileged third-party app to intercept a privileged provisioning callback, leaking install timing, session metadata, and in some cases package details — all without any special permissions.</p> <p>Google acknowledged the report, logged it for potential remediation, and classified it as low severity. Here&rsquo;s the full breakdown.</p>