Share this Story

HTC: Security Vulnerability Exists, Update on the Way – No Data Stolen


When TrevE over at XDA discovered almost a week ago now that a handful of HTC devices had a security issue, he did the right thing and reported it immediately to HTC. While the tech world attempted to make it sound like the world was coming to an end, HTC confirmed this morning that NONE of their customers have had data stolen or have been affected by this issue.   

With that said, they also confirm that the issue does exist and will get an update released immediately after carriers test it:

HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.

HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.

Just as we said in our write-up of this story yesterday, this is not as big of a deal as you have been led to believe.  Sure, it looks really bad on HTC’s part for missing something that could potentially be dangerous, but since it was found and reported in the proper way by TrevE, a fix is already on the way.

The only thing you have to worry about now, is how long it will take Verizon to find this fix acceptable and then begin to push it to Thunderbolts.  In the mean time, we will remind you for the 100th time – do not download shady apps for shady markets and you should be fine.

Via:  Engadget

  • Garemlin

    I’m still waiting for HTC to tell us why the logger was there in the first place.

  • Rich

    How can they know if my data has been stole or not unless they are tracking us transparently…

  • DaveDoug

    I just think it’s important to note the “tech world” is up in arms because HTC doesn’t have as much faith or support from this crowd since the Thunderbolt.  They were complicit in the hype machine surrounding it, and customers had to wait on things like Skype or Netflix or Gingerbread way past what the expectations were.  I recognize that the option to root any phone exists, however to find out that a product that failed to meet expectations has also been a glaring security issue seems to compound a lot of people’s feelings about how HTC needs to do a much better job in all aspects of production and support.  The final product may still be a very decent phone, but public sentiment is not in their favor and they ought to know it.

  • Chris Vander Maas

    I’m sure within 1h of the source to the exploit being released, there were apps updated to take advantage of this loophole.

  • No one, and I mean NO One waits like us Verizon customers

  • So, how long before Verizon approves the updates to fix these “flaws”? My money’s on a month and a half for the Bliss and Inc2, 2 for the Thunderbolt, and never for the Incredible.

    Can we please cut them out of the update process before they hurt someone?

    • Jarred Sutherland

      Yes, cut them out and more obvious bugs will just be allowed through. I think it’s painfully obvious that HTC doesn’t test very well.

  • how does this effect rooted devices?

  • Rizzidy

    There is an ocean of difference between “So far, we have not learned of any customers being affected in this way” and “NONE of their customers have had data stolen or have been affected by this issue.”

    • Nickels

      Exactly, just because HTC doesn’t know anyone that has been exploited by this doesn’t mean nobody has had their data stolen by the security hole. HTC didn’t even know the exploit existed a few weeks ago.

      My main issue is that data logging continued when users opted out during set up taking up battery sucking resources in addition to still being tracked.

      • andy

        I have the Thunderbolt and got the Gingerbread update last week before it got pulled. How do I opt out of being tracked?

        • Anonymous

          Root it……… use TiBu to freeze the HTC spyware app.

    • Louis

      HTC is clearly just making things up. They can’t possibly assert noone had their data stolen. It’s very possible this security hole has been discovered by others before TrevE.

  • Anonymous

    how long until the htc haters get over here and rant about battery life and how they think blur is SO much better then sense?

    • Jarred Sutherland

      I think blur and sense are terrible both … sooooo.

      I had a problem with my TBolt due to the battery, but it wasn’t due to life of the battery. It was due to the extended battery being so heavy that it fell out of the phone at the slightest of bumps and caused it to shut off. Swapped the phone out, fixed the problem for a month or two, and back to the same ol same ol. 🙁

      HTC has a black eye with the TBolt, but I still feel it’s a good phone when running CM7.

      • Anonymous

        it took 5 minutes.

        • Jarred Sutherland

          So you see me as an HTC hater? Wow, you have a narrow minded view then. I can hardly see my post as being an HTC hater. Both sense and blur ARE crap, the stock UI is just fine. All they do is slow down the update process and cause people to have a more difficult time switching to another device that isn’t in the same brand.

          So If I am a hater .. well them, so be it.

          Oh and, throw Samsung’s TouchTurd into the mix .. that is a HORRIBLE UI.

          • Anonymous

            The point was that any time HTC is mentioned, someone like you has to come along and talk about Sense, or the Thunderbolt battery, or something totally unrelated to the topic of the post.

          • Jarred Sutherland

            I responded to his question. Had HE not brought it up, I wouldn’t have. 

            And actually, this has EVERYTHING to do with people disliking sense, battery life, etc. This is a blunder by HTC, due to the complexity they add with piling sense on top of Android. If HTC payed more attention to core functionality rather than making things be oh so pretty, things like this (and the battery issue and whatever else people want to complain about) WOULDN’T happen anywhere as frequently as they do.

      • Anonymous

        is cm 7 fully functional for you? I am thinking of installing it but now sure how to root now that I have gingerbread… and not sure of the roms out there even if I do root… How is battery life once rooted, any better?

        • Jarred Sutherland

          As far as everything I need, it is fully functional. I use my phone frequently, and beyond an occasional reboot I get when connecting my bluetooth headphones (occasional, as in 1 time in every .. 25-30 connects), I love CM7. 

          I highly recommend getting a good GPS lock before switching though, because without that GPS won’t work (unless you go back to a sense rom, get lock and restore CM7). 

          Battery life for me is great. I switched back to the small battery due to some issues with the htc extended battery. I can easily go a full work day without a charge unless I am playing some game, etc.

          • Tboltgai

            use the latest shi5ta05p by droidth3ory, it’s a fork of cm7 and is much less buggy and gps works fine.

        • Gatz

          It’s more buggy than stock. Like with most custom ROMs people don’t complain because they don’t have the right to.

          • Jarred Sutherland

            So tell me what bugs you have run into? I stated the two I run into (and it isn’t frequent). You come in and make a claim without any data to back it up. So, back it up.

          • Anonymous

            Not true. What roms have you tried. There are a couple roms that are very good.

  • Anonymous

    I bet someone is affected by the time they get it patched.