HTC Phones Suffer Major Security Exploit Latest Update Provides Easy Access to Personal Data Tipped by Romney2012 
The folks over at Android Police note that several HTC model smartphones suffer from a rather major security exploit that can give a hacker access to personal information, e-mail addresses, and your location. The vulnerability is part of HTC’s Sense UI and affects several popular HTC phones, including the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, and several more. The problem began with a recent HTC update that introduced a suite of logging tools that creates a HTCLoggers.apk file accessible by any app with Internet permissions. That provides easy outside access to: •The list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations phone numbers from the phone log. •SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely). •System logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, and phone numbers. HTC was contacted on September 24th but has yet to comment on the vulnerability. "In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry," notes the website. Only stock phone firmware is impacted -- users who have modified their Android HTC devices to run CyanogenMod are not impacted. Update HTC is telling news outlets they're " investigating" the security flaw.
|
 |  Romney2012Defeat Obama 2012-Chg we can believe inPremium
join:2002-03-03
USA
kudos:4 |  HTC updating issue on their Twitter feed
»twitter.com/#!/Htc
We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.
»www.rickperry.org/ | |
|  |  Simba7I Void Warranties
join:2003-03-24
Billings, MT | Re: HTC updating issue on their Twitter feed Um.. Maybe they should move it before a lawsuit generates.
..or they turn their phone in for a non-HTC phone. | |
| | | | said by Romney2012:HTC says they are verifying the problem and will update soon:
»twitter.com/#!/Htc
We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.
Quite simple really, root, and delete htcloggers.apk = done. No HTC update necessary. | |
| | | Romney2012Defeat Obama 2012-Chg we can believe inPremium
join:2002-03-03
USA
kudos:4 | Re: HTC updating issue on their Twitter feed said by whiteyonenh:said by Romney2012:HTC says they are verifying the problem and will update soon:
»twitter.com/#!/Htc
We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.
Quite simple really, root, and delete htcloggers.apk = done. No HTC update necessary. But not everybody likes to root their phones.
--
»www.rickperry.org/ | |
| | | | | | Re: HTC updating issue on their Twitter feed said by Romney2012:But not everybody likes to root their phones.
Fair enough I suppose, I did hear of one person getting verizon to exchange their htc thunderbolt for a droid bionic... so I suppose there's that. 
Or wait for HTC to release an update, which could be who knows how long, as it'd have to go through QA testing beforehand. 
In the meantime, don't install any apps to your phone that require internet access... Wait... that means, don't install ANY 3rd party apps, as pretty much all want internet access 
Or you could root, and have it fixed in about 30 mins to an hour. The choice is yours.  | |
|
| Romney2012Defeat Obama 2012-Chg we can believe inPremium
join:2002-03-03
USA
kudos:4 | »www.engadget.com/2011/10/04/htc-···ncoming/HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
--
»www.rickperry.org/ | |
|
| | Great timing for this news Just in time for the Iphone 5 release | |
| | | | Re: Great timing for this news said by Gatsby:Just in time for the Iphone 5 release
how much you want to apple is funding this project | |
| | | Reviews:
 ·CenturyLink
| Re: Great timing for this news said by Sammael1069:said by Gatsby:Just in time for the Iphone 5 release
how much you want to apple is funding this project My thinking exactly. It's just too timely | |
| | | | | | Re: Great timing for this news Doesn't change the fact that HTC has a very real and dangerous exploit in their software, which they've acknowledged: »www.androidpolice.com/2011/10/04···shortly/
Apple had nothing to do with this. The website sells Android apparel and the people who discovered this are security researchers:
said by »trevoreckhart.com/ :Trevor Eckhart. I'm a Systems Administrator in Connecticut. Skilled with SQL, Citrix, Cisco, Windows Server03/08, Android and more. said by »beerpla.net/ :Artem Russakovskii - a local San Francisco geek who currently works at Plaxo and enjoys hacking Android, PHP, CSS, Javascript, AJAX, Perl, and regular expressions, working on Wordpress plugins and tools, tweaking MySQL queries and server settings, administering Linux machines
--
less talk, more music | |
| | | | | Reviews:
·CenturyLink
| Re: Great timing for this news said by Ctrl Alt Del:Doesn't change the fact that HTC has a very real and dangerous exploit in their software, which they've acknowledged: »www.androidpolice.com/2011/10/04···shortly/
Apple had nothing to do with this. The website sells Android apparel and the people who discovered this are security researchers:
said by »trevoreckhart.com/ :Trevor Eckhart. I'm a Systems Administrator in Connecticut. Skilled with SQL, Citrix, Cisco, Windows Server03/08, Android and more. said by »beerpla.net/ :Artem Russakovskii - a local San Francisco geek who currently works at Plaxo and enjoys hacking Android, PHP, CSS, Javascript, AJAX, Perl, and regular expressions, working on Wordpress plugins and tools, tweaking MySQL queries and server settings, administering Linux machines So it seems the vulnerability is from a potential app that would have to be downloaded from a third party site.
I never thought I would praise an apple product, but I do have an Iphone 4, and I like that they police their app store pretty well.
I have nothing against android phones! Hope they can fix the problem soon. Seems obvious that smart phones are the next target for hackers trying to gather personal info. I don't use my phone as a data bank for this reason.
What are they gonna do with my contacts? | |
| | | | | | | | Re: Great timing for this news said by Gatsby:So it seems the vulnerability is from a potential app that would have to be downloaded from a third party site. The vulnerability is from an application HTC installs on their phones: HtcLoggers.apk. This vulnerable app comes with the HTC phone out of the box.
said by Gatsby:Seems obvious that smart phones are the next target for hackers trying to gather personal info. I don't use my phone as a data bank for this reason.
What are they gonna do with my contacts?
HTC's logger also provides your GPS location and recent notifications.
--
less talk, more music | |
| | | | | | | Reviews:
·CenturyLink
2 edits | Re: Great timing for this news said by Ctrl Alt Del:The vulnerability is from an application HTC installs on their phones: HtcLoggers.apk. This vulnerable app comes with the HTC phone out of the box.
said by Gatsby:Seems obvious that smart phones are the next target for hackers trying to gather personal info. I don't use my phone as a data bank for this reason.
What are they gonna do with my contacts?
HTC's logger also provides your GPS location and recent notifications. so it's windows '98 all over again! sheez la pete. All these open source mini computer phones are now vulnerable. It's like when Microsoft's email client opened attachments by default.
Next: virus control apps for your phone. And I just threw away my tinfoil hat | |
|
 cdruGo ColtsPremium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:5
 ·Frontier FiOS
| So what...it's already too late If it allows any application with internet access to transmit private data, it's already too late. The offending app is already on your phone. And I'm sure everyone thoroughly reads every single app's permissions before downloading/installing it from the market.
It's no different then Window users blindly clicking allowed when the request permission popup comes up, or Linux users running as root.
Not saying that it's something that doesn't need fixed, just saying it might not be as big of a deal as it sounds. | |
| | Reviews:
·CenturyLink
| Re: So what...it's already too late said by cdru:If it allows any application with internet access to transmit private data, it's already too late. The offending app is already on your phone. And I'm sure everyone thoroughly reads every single app's permissions before downloading/installing it from the market.
It's no different then Window users blindly clicking allowed when the request permission popup comes up, or Linux users running as root.
Not saying that it's something that doesn't need fixed, just saying it might not be as big of a deal as it sounds.
Agree. Stupidity on the user will override any security in place. | |
|
| | ROOT :) Love my rooted thunderbolt, Theory removed that apk for me already running shifts3ns3
Who says rooted phones are less secure | |
| | | | | | | Re: ROOT :) My phone does everything I need it to do. I rooted my original Evo for one reason and one reason only. To install Titanium Back Up so I could remove the Twitter and Facebook apps that came preinstalled and could not be removed. I hate social networking and think it's a disease and do not want those apps on my phone. I installed some custom ROMs and was unimpressed, I did all the major ones, CM, Fresh and I forget which other ones. They all sucked. They broke more things than they did right. One CM release broke the GPS, another didn’t have Wimax capability and I could never get Visual Voicemail working among other things. None of these Custom ROMs have a user interface or launcher as slick as HTC Sense. I’m sorry, but that is just simply awesome, NOTHING compares to Sense, Beautiful Widgets is a very poor imitation. After doing many customizations, I always found myself wanting to imitate my stock ROM, so what’s the point?
Now my Evo 3D, I never rooted, I have no plans to. My phone is perfect the way it is. I have no desire to overclock the pretty fast 1.2 GHz dual core processor, only so I can underclock it to 800 MHz later on to save battery. I have no desire to customize anything beyond HTC Sense, as it’s simply the best. Facebook and Twitter are not installed on the phone, and Sprint apps can be uninstalled, so bloatware is not an issue.
There is simply no benefit for me to root. Done it once, don’t care to do it again.
--
Chuck Norris was once asked why he doesn’t use an iPhone, he responded, “Same reason I don’t use tampons.”
AT&T - America's Worst 3G Network
| |
|
 c0c0c0c0c0c0 is the color of my soul.
join:2004-12-20
Lexington, OK | CyanogenMod CyanogenMod FTW! | |
| |  tmh
@verizon.net | Re: CyanogenMod said by c0c0c0:CyanogenMod FTW!
Except CyanogenMod has been stuck forever on 7.1 RC1. | |
|
| |
|
|
·