Due to a vulnerability in Android phones, the cameras from possibly hundreds of millions of Google and Samsung phones were accessible without user permission, Ars Technica reports Tuesday after an investigation by security company Checkmarx.

The weakness was found in the standard camera apps on phones from Google and Samsung. The vulnerability allowed third-party apps to steal photos and videos. The microphone could also be switched on during filming.

The leak was first found on the Google Pixel 2 XL and Pixel 3. Google resolved the error in July this year. Even with Samsung phones, the camera could be switched on without permission, but in the meantime that leak has been closed. It is not known when that happened.

Checkmarx developed a weather app to perform tests. During the investigation, the app was given access to cameras. This allowed images to be recorded when the app was not in use and when the screen was off. Checkmarx was then able to save the images on its own servers.

It is not clear how the error occurred. It is also unknown whether the leak was exploited. Although phones from Google and Samsung have been updated, the problem may still be active on devices from other brands.