The Tech Herald

HTC promises fix for data leak vulnerability

by Steve Ragan - Oct 5 2011, 07:00

On Monday, Tech Herald reported on the vulnerability discovered by AndroidPolice.com, in which several HTC devices are leaking sensitive information thanks to a recent Sense UI update. HTC has confirmed the issue, and says they are working to release a fix.

Application developer Trevor Eckheart, along with Artem Russakovskii and Justin Case, initially discovered the problems after an update to the Sense UI (user interface) was released by HTC.

The update installed some new tools to their devices, which can be used to extract personal information simply by installing a malicious application that requires Internet permissions.

It allows any Android application that connects to the Web or shows ads to access a list of user accounts on the device, including email addresses and sync status. In addition, one can also access last known network and GPS data, along with a limited previous history of locations.

Moreover, the buggy tools expose phone numbers, SMS data, and other system logs. The SMS exposure includes encoded text, but it is unknown if this data can be decrypted. Also of note is the installation of 'androidvncserver'. As the name suggests, HTC has placed a VNC application on devices, but with no explanation as to why.

After news of the vulnerability spread, HTC issued the following statement:

“HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application.”

“A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability,” the company added.

As such, they are “working very diligently to quickly release a security update that will resolve the issue on affected devices.”

“Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.”

Around the Web

Comment on this Story

comments powered by Disqus
Security
Index
News
 
Features
Reviews

From Autosaur.com

World’s first flat-pack truck the OX could help Africa

A flat-pack truck which can be put together by anyone in just half a day has been invented to help people living in remote places in Africa and other parts of the developing world. The OX is shipped in pieces but can be assembled with just three people in 11.5hours — and they need no [...]

The post World’s first flat-pack truck the OX could help Africa appeared first on Autosaur.

Nissan 370Z Nismo to rock the Gumball 3000 rally

The Nissan 370Z Nismo will be one of the cars in the 2013 Gumball 3000 rally where  â€” as the guys from TV show Jackass put it — “filthy stinking rich” people drive super-expensive cars 3,000 miles through 13 countries across Europe. The car, above, will be driven by a team from publishing and production [...]

The post Nissan 370Z Nismo to rock the Gumball 3000 rally appeared first on Autosaur.

#MyTurnToJag and Playboy: How Jaguar targets men

Jaguar has launched a new Twitter campaign called #MyTurnToJag to advertise its new F-Type â€” as well as teaming up with men’s magazine PLAYBOY. The #MyTurnToJag competition gives members of the public the chance to drive one of their new sports cars. And it comes after the firm helped announce Raquel Pomplun, left, as Playboy’s Playmate of [...]

The post #MyTurnToJag and Playboy: How Jaguar targets men appeared first on Autosaur.