Gingerbread data-stealing flaw discovered
By Tom Brewster,
A US-based researcher has discovered a flaw in the latest iteration of Android, which could see user data stolen.
A Gingerbread user could have their device compromised by clicking on a malicious link, discovered Xuxian Jiang, assistant professor in North Carolina State University's department of computer science.
The original vulnerability was supposed to have been patched in Android 2.3, yet there was still a way to bypass the fix, the researcher claimed.
“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone,” Jiang said in his report.
In attempting to hack the device, the researchers found they could read and even upload contents of files, including photos and voicemails, as long as they were installed on the phone’s SD card and the precise filename was known.
Jiang has been in touch with the Google Android Security Team and said the OS creator had taken the issue seriously, confirming a fix would be issued by the next major release of Android at the latest.
“From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay,” Jiang said.
“Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the SD card and a limited number of others).”
Until a fix has been issued, Jiang offered a number of ways to prevent exploitation of the vulnerability.
“For example, we can temporarily disable Javascript support in the Android browser or switch to a third-party browser for the time being,” he added.
“Users are also encouraged to be cautious when viewing unfamiliar websites.”
A Google spokesperson told IT PRO the company had "incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone."
"We're in communication with our partners," the spokesperson added.
Gingerbread was only announced in November 2010 and featured in the Nexus S, which was released just before Christmas.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- UK regulator shuts down Angry Birds scam
- Apple iPad 3 vs iPad 2 head-to-head review
- IBM bans use of Siri on iPhones
- Chromebooks: What's gone wrong?
- HP plans massive job cuts
- EMC World 2012: Tucci declares Documentum is here to stay
- Dell EqualLogic PS6100XS review
- Macs and Android under malware threat
- RIM loses its head of sales
- Local fibre broadband needs common standards
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
