HTC has acknowledged what it calls a “small” issue on certain Android-powered devices, which may expose the passwords to Wi-Fi networks you have connected to. Security researchers Chris Hessing and Bret Jordan first discovered the flaw, which allows third-party applications to see your Wi-Fi credentials in full.
Applications with access to the “android.permission.ACCESS_WIFI_STATE” permission, according to The Next Web, are able to use a certain command (.toString()) in the “WifiConfiguration” class to access all of the information for a wireless network you are connected to — including the password required for access.
If combined with the android.permission.INTERNET permission, attackers could then harvest the details and send them to a remote server on the Internet.
The flaw affects a large number of HTC devices, including:
- Desire HD (both “ace” and “spade” board revisions) – Versions FRG83D, GRI40
- Glacier – Version FRG83
- Droid Incredible – Version FRF91
- Thunderbolt 4G – Version FRG83D
- Sensation Z710e – Version GRI40
- Sensation 4G – Version GRI40
- Desire S – Version GRI40
- EVO 3D – Version GRI40
- EVO 4G – Version GRI40
It appears that HTC’s MyTouch 3G and Nexus One devices are not affected.
If you device is vulnerable, you’ll be pleased to know that the Taiwanese company has already developed a fix, which it announced in a small bulletin on its support site on January 31. Many of you won’t need to do anything to update your device — it will have already been done — but others will have to update manually when the download is available… next week:
HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.
Even without this fix, however, your device should be safe as long as you do not download apps from the Android Market that are specifically designed to harvest these details. So, simply put, don’t download anything that you do not trust for the time being.
It’s a shame HTC’s devices have been subjected to another security flaw, but it’s great to see it has already provided a fix.
Is your HTC handset affected by this issue?
[via The Next Web]