A serious vulnerability that affected the way some popular HTC Android phones handle 802.1x usernames, passwords, and SSIDs was disclosed publicly today by engineers Chris Hessing and Bret Jordan. The bug allowed applications with only an ACCESS_WIFI_STATE permission to read your Wi-Fi SSIDs, usernames, and, most importantly, passwords on at least the following devices:
- Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
- Glacier - Version FRG83
- Droid Incredible - Version FRF91
- Thunderbolt 4G - Version FRG83D
- Sensation Z710e - Version GRI40
- Sensation 4G - Version GRI40
- Desire S - Version GRI40
- EVO 3D - Version GRI40
- EVO 4G - Version GRI40
Of course, if a malicious application also happens to have access to the Internet, SMS, or other means of sending out information, credentials could leak out from a vulnerable device to a remote location. Read More
Well, that only took one media firestorm. Google, in response to widespread reports of a potential credential security hole in Android (which not only affects Android, but any OS using authTokens), is starting to roll out a fix for the public Wi-Fi vulnerability to all affected Android devices today. Google's statement, below:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
Before you panic, you should know that this isn't a huge deal, and Comcast is aware of the situation and has promised a fix "within a week or two." There, feel better? Good, because if you use the XFINITY app, any other app that has permission to read logs can read your Comcast username and password (aLogCat, for example).
The details, courtesy of aBSuRDiST, who discovered the issue:
My system log shows <userName>[email protected]</userName> and <password>MYPASSWORD</password> on a line that starts with "D/HTTPManager".