Category Archives: SecurityFlaw

HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits

Posted on by
Reply
As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us:

"HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public."

Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.

HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits originally appeared on Engadget on Fri, 03 Feb 2012 05:13:00 EDT. Please see our terms for use of feeds.

Permalink TheNextWeb  |  sourceMy War with Entropy, HTC Support  | Email this | Comments

Sprint issues OTA fix for HTC Android handset vulnerability

Posted on by
Reply
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below.

[Thanks, Korey]

Sprint issues OTA fix for HTC Android handset vulnerability originally appeared on Engadget on Tue, 25 Oct 2011 18:03:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceSprint  | Email this | Comments

HTC confirms security hole, says patch is incoming

Posted on by
Reply
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.

Continue reading HTC confirms security hole, says patch is incoming

HTC confirms security hole, says patch is incoming originally appeared on Engadget on Tue, 04 Oct 2011 01:47:00 EDT. Please see our terms for use of feeds.

Permalink   |   | Email this | Comments

HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)

Posted on by
Reply

The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET.

HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.

HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video) originally appeared on Engadget on Sun, 02 Oct 2011 19:17:00 EDT. Please see our terms for use of feeds.

Permalink   |  sourceAndroid Police, InfectedROM  | Email this | Comments