Less than a week after the release of Google's T-Mobile G1 smart phone, security experts detected a serious security flaw in its Android operating system that leaves it wide open for hackers to launch drive-by attacks on users' devices.
The security vulnerability, detected by researchers at Baltimore, Maryland-based Independent Security Evaluators, follows last week's release of Google's T-Mobile G1 phone Oct. 22, which is powered by the Android operating system.
Researchers at ISE posted an advisory warning users of the potential security threat that would allow their mobile devices to be compromised or exposed if they visited a malicious Web page.
"These phones will currently ship with the vulnerability present and may pose a security risk to their users until and update becomes available," said Miller in his posting.
According to the advisory, Google Android relies on more than 80 different open source packages. And the security error stems from a buffer overflow vulnerability in some of the older, more vulnerable versions of the open source software. Subsequently, an unsuspecting user could be successfully exploited simply by accessing an infected Web page using with a vulnerable operating system, experts say.
Once a user in infected, attackers could then obtain access to any personal information accessible from the victim's browser -- including cookies, information entered into Web application and saved passwords -- in order to steal a bank account numbers, Social Security information and other sensitive data.
"If you end up on a bad guys' site, he can basically take over the phone and run code, and access anything your browser has access to and do anything your browser could do," said Charlie Miller, principal analyst at Independent Security Evaluators.
An attacker could also trick users into revealing sensitive, personally-identifying data by altering an existing site or creating a malicious Web page, Miller said.
However the error precludes attackers from manipulating other features of the phone, such as dialing the phone directly.
While ISE has reliable exploit code, Miller maintained that it will keep that information under wraps until Google repairs the glitch.
So far, there is no known exploit loose in the wild, Miller said, while contending that a successful exploit would likely be one that's more targeted as opposed to a widespread attack.
"As a targeted attack, it's definitely a possibility," said Miller. "This is an easy way to do it."
Miller said that he notified Google regarding the vulnerability Oct. 20th -- two days prior to the release of the T Mobile G1 phone -- and said in his posting that ISE is "working with them to try to get a fix as quickly as possible."
Google echoed that the company was working to remediate the issue.
"We treat all security matters seriously and will carefully work with our partners to investigate and update devices periodically to reduce our users' exposure," said Google in a statement. "We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open source platform. The security and privacy of our users is of primary importance to the Android Open Source Project " we do not believe this matter will negatively impact them."
However, Miller said Google first asked him not to make the vulnerability public until a fix was found.
Instead, he said he was criticized by Google after reporting the vulnerability to the New York Times before a fix became available. "I thought it was important to tell people there was a problem," said Miller. "If you know there's a problem, you could at least take precautions."
"In my mind, I was doing the right thing," he added.