Though the re-construction of the pattern is effectively impossible, I think you raise a good point regarding the use of NFC. The article mentioning a cloud database was a red flag for me as it introduces another attack vector. Sure, it's not as simple as replacing the tag as you can with RFID, but we know the counterfeiters will go to impressive lengths to replicate the real deal. If verification can be all-local that's ideal, imo. The issue there, though, is that you then need to trust either the scanned or scanning device with a private key. A private key that, if obtained, could be used to create infinite counterfeits. Either way, I think this glue-based method is a great solution, even if it does rely on a cloud service which is dependent on the company that maintains it.

Has this not been the case for a while? I think I've been getting /maps for at least the past year.

Yep. Noticed when I didn't want to enable JS on the whole of Google's domain in μBlock Origin. I switch to another browser for this task alone—especially as some regions have incomplete data for OpenStreetMap

the /maps URL worked for a while, but I never noticed the redirect from maps.google.com (but I wasn't paying attention to that).

Appalling handling on Google’s end here. The duplicate issue part I can understand, but why should it take two reports of a critical vulnerability to take action? Surely when the first one comes through it’s something you jump on, fix and push out ASAP, not give delay to the point where a second user can come along, find the bug, and report it.

The refactor that’s mentioned towards the end of the article is great, but would you not just get a fix out there as soon as possible, then work on a good fix after that? For a company that claims to lead the way in bug bounty programs this is a pretty disappointing story.

You can read in the conversation that Google was not able to reproduce it the first time the bug was submitted:

> The same issue was submitted to our program earlier this year, but we were not able to reproduce the vulnerability. When you submitted your report, we were able to identify and reproduce the issue and began developing a fix.

I wonder if it really was the same bug or what they did wrong to reproduce it. Or maybe they just made some mistake in reproducing it.

Agreed. If the first bug was

> I did something weird after putting in a new PIN, and I was able to access my home screen without my password, but I'm not sure of the exact steps I did

then that's not really a duplicate. If the original bug report doesn't have enough information to recreate the steps, the second one is the only real bug report.

Yes. The first one is more like a user complaint than an actual reproducible bug report.

Then if that’s the case, the author should have been paid a full payout, not a “thanks for making us fix this” payment.

Just trying to rationalize, but if the "external researcher" was hired by Google to find security issues, google might have a requirement to fix the bug at its own pace.

I would personally be highly suspicious of a security flaw being a duplicate though. It's can be a very convenient excuse not to pay the bounty.

Reporting and investigation matters. Perhaps the initial report was only on the bypass of the lock-screen but the initial report only ran into the decrypted phone state so it was dismissed as not being exploitable (see other comments), whilst the second report actually got inside an active phone (And then was also written up in a simple, concise and reproducible way).

My question then is, would/will the same fact-checking apply to a different government that Musk does support? He’s been pushing for this equal fact checking and equal platform for both parties, but as far as I can tell we’re not seeing these banners anywhere on politics Twitter besides official government accounts.

Unconfirmed at this point - more info: https://twitter.com/troyhunt/status/1566565409939427328?s=21...

To say the author "intentionally created" an environment where cheating is commonplace I think may be a little unfair to them. Whether they run a given course online or in person is almost certainly well above their pay grade. While the situation was far from ideal and I believe he may have been too lenient in some situations (the plagiarism on the academic integrity assignment for one), at the end of the day he made the best of a very bad situation. No doubt, in-person exams as you described are the most cheat-proof way, but in a scenario where the author has no say in this, it's not a terrible outcome. Look at the semester following the one with widespread cheating - he made significant changes based on the past issues and in the process managed to eliminate a lot of the issues.