Moto G5 Plus Prime Edition lockscreen can be bypassed by tapping on the ad [Update]

Amazon’s Prime Exclusive Phone program began in 2016, offering phones at a discounted price with a caveat: advertisements on the lock screen. It’s a tradeoff that many have come to accept, with even some high-end devices from LG being added to the offerings.

Unfortunately, it appears that the very advertisements that have made it possible to sell these devices at a lower price are now a cause of concern due to a glaring security flaw on at least one of the devices – the Moto G5 Plus Prime Edition.

Hey @amazon @MotorolaUS. I found a security flaw in my Amazon motot g5. Hit fingerprint sensor (it says fingerprint not recognized), then press power button, then click view ad on the lockscreen. This gives you 100% access to the phone. pic.twitter.com/eqLWLn34pD
— Jaraszski Colliefox (@jaraszski) January 22, 2018

The issue was brought to light by Twitter user Jaraszski Colliefox‏. It appears that in order to bypass the lock screen, one must merely tap the fingerprint sensor – which may fail to authenticate – then press the power button, and finally tap on the Amazon ad that pops up; tapping on the ad would open it in a web browser, providing complete access to the device.

Several users on Reddit have successfully managed to replicate the issue, but it seems that the flaw cannot be replicated if the phone is left locked for longer than 30 seconds, as pointed out by this YouTube video’s description:

Additionally, it appears that Moto Display must also be turned on. It’s not clear whether this flaw exists for other devices that are part of the Prime Exclusive Phone program.

Of course, no device is perfect – not even the iPhone X – but a flaw such as this makes it a moot point to offer security in the first place; advertisements already have a polluted reputation, and something like this does not help anyone, but perhaps the FBI.

via Android Police

Update: It turns out that the flaw is, in fact, a feature; the Moto G5 Plus happens to come with Android's On-Body Detection feature enabled by default, making the device defer locking itself for a certain amount of time, explaining the 30 seconds window in which the ad unlocks the device. If the feature is disabled, the issue can not be replicated.

The one issue this chronicle does highlight, however, is that a failed authentication does not lock the device - the On-Body Detection feature continues to unlock the device despite the most recent fingerprint authentication attempt.

If one is security conscious, it would perhaps be a good idea to turn the feature off.