HTC confirmed in a statement that it has found a “vulnerability that could potentially be exploited by a malicious third-party application” in its software. According to the company, it has not heard of any customers being affected by the security hole, and is working to release a security update to address the problem.
The vulnerability, first found by Android Police, allows apps that are authorized to connect to the Internet to see information from the company’s HTCLoggers service, which reports device data back to the company. Therefore, these apps can access data such as call history, location data, e-mail addresses and system logs and malicious apps could easily broadcast that information to the Web. Users are supposed to be notified when apps want to access that data.
HTC said it is working on a fix. “Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it,” the company said.