It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!
In the bug report (issue 1207) jdhorvat writes:
Funny story behind finding this:
I was in the middle of a text conversation with my girl when she asked why I hadn't responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated "Reboot" - which, to my surprise, rebooted my phone.
When I first read this I didn't believe it. Then I read it again, and again, and finally tried it for myself. It's true. Don't believe me? Save anything you're working on (this will reboot your phone!), open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: <return>-r-e-b-o-o-t-<return>. Poof, your phone will reboot. This only works on a real phone, not in the emulator, and only with firmware version 1.0 TC4-RC29 and earlier.
From the home screen select Menu > Settings > About phone, and look for the Build number (near the bottom). If you see this:
kila-user 1.0 TC4-RC29 115247 ota-rel-keys,release-keys (US)
kila_uk-user 1.0 TC5-RC7 112931 (UK)
then you're vulnerable. If you see anything later than RC29 in the US or RC7 in the UK then you already have the fix.
Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging. Thankfully the fix is trivial; you can probably even make it yourself if you're so inclined (just comment out the offending lines described in the reports above and reboot).
Here's a workaround I just discovered: Open the keyboard and type these 5 keystrokes: <return>-c-a-t-<return>. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.
A patch from Google should be on its way soon. Meanwhile, be careful what you type.
Updated 10Nov2008: The patch installed itself on my G1 this weekend. I can verify that the bug has been fixed, so it's safe to type "rm -r" in your instant messages again.