Cybersecurity expert David Schütz accidentally uncovered a hack to unlock his Google Pixel devices without knowing the passcode.

The security researcher explained on his blog that he came across the issue by chance when he forgot the PIN code of his phone and had to use the PUK code (Personal Unblocking Key) to regain access. After completing the steps, Schütz noticed a vulnerability.

“It was a fresh boot, and instead of the usual lock icon, the fingerprint icon was showing,” he wrote.

“It accepted my finger, which should not happen, since after a reboot, you must enter the lock screen PIN or password at least once to decrypt the device.”

Schütz exploited the bug in a video posted on YouTube.

Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only >

It means that if someone were to access your phone, they would deliberately input three incorrect fingerprint scans and temporarily disable the biometric features.

A potential hacker could remove your SIM card and replace it with their own in your phone.

They might incorrectly enter three PIN attempts before being prompted to provide a PUK code for the SIM which would now be their SIM card.

They would then enter the PUK and then be able to reset the PIN.

“This was disturbingly weird,” Schütz said. “My hands started to shake at this point.”

The Security & bug bounty tested the same steps on a Google Pixel 5 and received the same result.

A major risk, the action can only be required if someone physically has your phone.

According to Schütz, the unusual bug involves switching SIM cards.

The fluke discovery led Schütz to report the issue to the operating system’s owner, Google.

The tech giant pushed out an update to fix the problem, three months after Schütz notified the company.

Schütz claims Google rewarded him $70,000 for helping to find the glitch.

More Coverage

Urgent warning for 20m Android users

Kate Schneider

Huge problem noticed after iPhone update

Rebecca Borg

“Even though this bug started out as a not-too-great experience for me, the hacker, after I started ‘screaming’ loudly enough, they noticed, and really wanted correct what went wrong,” he said.

“In the end, I think Google did pretty well, although the fix timeline still felt long for me.”

The fixed Android bug was included in the November 5 2022 security update.