The Samsung Galaxy S5's fingerprint sensor has a loophole that can leave a user's phone--and the PayPal money app--vulnerable to hackers, researchers say. The exploit, demonstrated in a YouTube video, bypasses the Galaxy S5's fingerprint lock using a fake fingerprint made from wood glue.

研究人员发现，三星Galaxy S5指纹传感器存在一个安全漏洞，会导致用户手机和贝宝(PayPal)应用遭到黑客攻击。研究人员通过一段YouTube视频演示了如何利用木胶制作的假指纹绕过Galaxy S5的指纹锁。

In an interview with the Journal, PayPal's head of ecosystem security, Brett McDowell, said that the hack is real, and known, but it's nothing that should alarm the public.

贝宝生态系统安全部门负责人麦克道尔(Brett McDowell)在接受《华尔街日报》(The Wall Street Journal)采访时说，这个问题是真实和已知的，但公众无需惊慌。

'We don't have any reason to question the authenticity of the demonstration,' McDowell said. 'This is a known challenge to fingerprint-sensing technology, and these are some of the top researchers in the world. But this is not a scalable exploit. It's not something most people should worry about.'

麦克道尔说，他们绝不怀疑这个演示的真实性。他说，这是指纹传感技术面临的一个已知挑战，这些人都是世界顶级的研究人员，但这算不上是一个大漏洞，多数人无需担心。

The video (below) by Berlin, Germany-based Security Research Labs shows the mold of a fingerprint being used to trick a Galaxy S5's fingerprint sensor into unlocking the phone. SRLabs says in the video that it made its fake fingerprint (or 'wood glue spoof') by taking a camera phone photo of a fingerprint left on the phone's display. The video was reported earlier by Ars Technica.

这段视频是由总部位于德国柏林的安全研究实验室(Security Research Labs, 简称SRLabs)录制的。视频中展示的指纹模具可以骗过Galaxy S5指纹传感器，将手机解锁。SRLabs在视频中说，他们对Galaxy S5显示屏上遗留的指纹进行手机拍照，然后制作假指纹或木胶指纹。Ars Technica此前对这段视频做了报道。

'Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password,' says the narrator in the SRLabs video.

视频解说者称，即使在设备关闭的状态下，这种方法仍可以骗过指纹锁，不仅如此，认证尝试似乎可以无限地进行下去而无需输入密码。

PayPal is among the apps that can make use of Samsung's fingerprint sensor in place of a password, and in the video researchers use the fingerprint spoof to log into PayPal and transfer money to an outside account.

贝宝是允许用户使用三星指纹传感器代替密码的应用程序之一。在这段视频中，研究人员用假指纹登入贝宝，并成功地将资金转移到一个外部账户。

McDowell said that PayPal believes the security and convenience of using a fingerprint sensor outweighs the possibility that a hacker steals both a person's phone and a pristine fingerprint, and also have the time and resources to make a copy of a fingerprint before that user calls PayPal customer service to disconnect their account from the lost or stolen phone.

麦克道尔说，黑客必须同时窃取到手机和原始指纹，还要有时间和资源赶在手机用户通知贝宝客服中心切断账户与丢失或失窃手机的联系前复制出指纹，贝宝相信这种可能性放在指纹传感器的安全性和便捷性面前算不了什么。

'This is not something you can do on any number of devices,' McDowell said. 'This is not like a massive phishing scam where you can get millions of passwords quickly. This is limited to one device, one victim at a time.'

他说，这不是一件能在任意数量的手机上做的事情。他还说，这与短时间就能窃取数百万个密码的大规模“网络钓鱼”不同，这样的情况一次只限于一部手机，一个受害者。

Apple's iPhone 5S also has a fingerprint reader, one that has been hacked in a similar fashion, but it is not used to authenticate third-party financial transactions, only Apple's own iTunes store.

苹果(Apple)的iPhone 5S也有指纹识别器，而且遭遇过类似的攻击。但iPhone 5S的指纹识别器不能用于第三方金融交易的身份认证，只能用于苹果自己的iTunes商店。

Samsung and SRLabs have not yet replied to requests for comment.

三星和SRLabs尚未回应记者的置评请求。