Member EvilDobe tipped us off on a article he found that reveals a serious security flaw in the built-in browser.
While most of us don't store anything of vital importance on our SD cards it's still a vulnerability that Google responded to within 20 minutes of hearing about the exploit. thomascannon.net reported: " I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue"
Full details are below:
A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.
It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.
Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.
"Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.
"This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.
In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.
We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.
Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added.
What do our readers think? No big deal or does this need to be fixed asap?