HTC has acknowledged that a flaw on some of its Android handsets may have leaked WiFi passwords of networks they were joined to.
The issue was initially bought to light by security researchers Chris Hessing and Bret Jordan, who discovered that any Android applications on an affected handset with access to the android.permission.ACCESS_WIFI_STATE permission were able to view all credentials of a WiFi network. It is also possible that applications could have collected this information and returned it back to the bad guys, although no evidence exists that this has happened.
The following handsets are affected:
- Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
- Glacier - Version FRG83
- Droid Incredible - Version FRF91
- Thunderbolt 4G - Version FRG83D
- Sensation Z710e - Version GRI40
- Sensation 4G - Version GRI40
- Desire S - Version GRI40
- EVO 3D - Version GRI40
- EVO 4G - Version GRI40
The following are NOT affected:
- Nexus One
HTC has acknowledges the issue on its support site:
HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.
It might also be a good idea to change your WiFi password, just to be on the safe side.