Android Authority exploited Google's security vulnerability

Two well-known Android Authority journalists and community figures, Kamila Wojciechowska and Mishaal Rahman, are being accused of exploiting a security vulnerability to get unauthorized access to dogfood builds (slang for internal Google builds). This allowed them to leak unreleased information about upcoming Pixel hardware and Android software features.

Instead of responsibly reporting the security flaw to Google, the two used it to publish "exclusive" stories and leaks based on confidential builds. They gave the impression that Google supported their reporting, conceiving the fact that it was based on a serious vulnerability.

Exclusive means unauthorized

Two months ago, a Pixel 9 Pro running an internal dogfood build was leaked on TikTok, showing early Android 16 features like the new UI, ambient AOD wallpapers, etc. Many in the community doubted the leak. Mishaal didn’t comment when people asked him about it. He knew it is 100% real but chose not to confirm or deny, because then "everyone would spread the leak" which would affect his "exclusive" coverage.

In private chat conversation, Mishaal admitted that he was running dogfood builds on his personal Pixel 8 Pro. To exploit the vulnerability he used a tool to modify his serial number in order to get access to internal builds.

Mishaal said he’d post about most of the features shown in the leak once Beta 3 was released, but carefully, as they require the "Flag Flipper" app that is present in dogfood builds only.

Kamila and their "friend" sent dogfood build screenshots in Pebble's Discord server to "flex".

Hiding the facts

In the article about Android 16's big UI overhaul, Mishaal claimed that the new UI features were “hidden in Beta 4”. They aren’t, because these features are only present in internal builds. Many users run public beta builds on their Pixel devices, but you won't find anyone with these new "hidden" UI features except Mishaal Rahman.

Mishaal admitted he knows "someone" who also found this loophole and said it would be a "shame" if Google closed it, likely because this is the only way he "exclusively" leaked upcoming Google Pixel or Android features.

He was worried about someone revealing a "bunch of internal Google apps", which could have prompted Google to investigate their access to early Pixel 10 firmware.

Mishaal claimed that he knows someone with access to Google partner repositories despite actually running a dogfood build. When someone would ask him about the source of the leak, Mishaal would deny using a "loophole" for getting information by saying that their sources come from someone at Google.

Mishaal has since partaken in deleting any messages about these posts in his chats. The Android Authority chat admins are even banning users for sharing these posts.