Gingerbread data-stealing flaw discovered


A US-based researcher has discovered a flaw in the latest iteration of Android, which could see user data stolen.

A Gingerbread user could have their device compromised by clicking on a malicious link, discovered Xuxian Jiang, assistant professor in North Carolina State University's department of computer science.

The original vulnerability was supposed to have been patched in Android 2.3, yet there was still a way to bypass the fix, the researcher claimed.

"We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," Jiang said in his report.

In attempting to hack the device, the researchers found they could read and even upload contents of files, including photos and voicemails, as long as they were installed on the phone's SD card and the precise filename was known.

Jiang has been in touch with the Google Android Security Team and said the OS creator had taken the issue seriously, confirming a fix would be issued by the next major release of Android at the latest.

"From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay," Jiang said.

"Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the SD card and a limited number of others)."

Until a fix has been issued, Jiang offered a number of ways to prevent exploitation of the vulnerability.

"For example, we can temporarily disable Javascript support in the Android browser or switch to a third-party browser for the time being," he added.

"Users are also encouraged to be cautious when viewing unfamiliar websites."

A Google spokesperson told IT PRO the company had "incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone."

"We're in communication with our partners," the spokesperson added.

Gingerbread was only announced in November 2010 and featured in the Nexus S, which was released just before Christmas.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.