TAIWANESE PHONE MAKER HTC has sent out an update to fix a vulnerability that exposed WiFi credentials on its smartphones.
Security researchers at Open1X outlined the flaw, which they describe as critical. They revealed that HTC and Google were informed of the problem last September.
Chris Hessing and Bret Jordan, security architects at Open1X said, "There is an issue in certain HTC builds of Android that can expose the user's 802.1X WiFi credentials to any program with basic WiFi permissions."
They added, "When this is paired with the Internet access permissions, which most applications have, an application could easily send all stored WiFi network credentials (user names, passwords, and SSID information) to a remote server."
HTC said, "HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone."
Affected devices include the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation, Sensation 4G, Desire S, Evo 3D and Evo 4D.
Despite the big time lapse between the discovery of the issue and HTC releasing a fix Hessing and Jordan commended the two firms' handling of the problem, saying, "Google and HTC have been very responsive and good to work with on this issue. Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phones and side-loads for all non-supported phones." µ
Sign up for INQbot – a weekly roundup of the best from the INQ