I would say this is a nice & clever attack vector by calculating from rendering time aka side channeling. Kudos to the researchers though it would take lot of time and capture pixels even for Google authenticator. My worry is now how much of this could be reproduced to steal OTP from messages.
Given to rise of well defined templates (accurately vibe coding design for example: GitHub notification emails) phishing via email, I have literally stopped clicking links email and now I have stop launching apps from intent directly (say open with). Better to open manually and perform such operation + remove useless apps but people underestimate the attack surface (it can come through sdk, web page intents)
This is why codepathfinder.dev is born. It underhood use tree-sitter to search functions, class, member variables and pulls code accurately instead of regex.
I started using it like tool call in Security scanning (think of something like claude-code for security scanning)
The goal is to catch vulnerabilities early in the SDLC by running agentic loop that autonomously hunt for security issues in codebases.Currently available as a CLI tool, VSCode extension.I've been actively using to scan WordPress, odoo plugins and found several privilege escalation vuln. I have documented as blog post here: https://codepathfinder.dev/blog/introducing-secureflow-cli-t...
Love this take actually and have been working on this and published this way back 2023/2024. Recently, I've been inspired by Claude-code & Cline agentic flow + tool looping, I experimented the same with tools like file_read, dir_list and throwing in few sast tools, security prompts on Wordpress plugin ecosystem (say with 10k-100k active installation) and scanned around ~600 and to my surprise it yielded ~45 critical, ~120 high severity issues and accounting 20% for non-reachability vuln. Spent around 6$ and ~40 million tokens with grok-4 fast reasoning model and the results were impressive, I gave a try with claude-sonnet but significantly rate-limited despite having 50$ credits from anthropic for research.
