HTC acknowledged the vulnerability in some of its devices that Android Police together with Trevor Eckhart posted Saturday night. The privilege escalation vulnerability currently allows a potentially malicious app that uses only the INTERNET permission to connect to HTC's HtcLoggers service and get access to data far exceeding its access rights. This data includes call history, the list of user accounts, including email addresses, SMS data, system logs, GPS data, and more.
HTC added that a software fix is already in the works and will be pushed to affected devices following a brief testing period (hopefully carriers won't end up delaying the OTA roll-out too much due to additional testing and bureaucracies).
HTC's full public statement follows:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue to collect the same kind of sensitive data to be potentially reported back to HTC or carriers.
Furthermore, I'd like a clarification on what the Android VNC server, which could allow remote access, is doing on affected devices.
Finally, I would like to know what HTC is planning on doing with the other services listed below found on the same devices. These services could be insecure in some ways, and we're currently looking into them in more depth.