Android flaw executed typed text

November 10, 2008 – 12:15 PM

With the news that Google’s Android shipped with an embarrassing security hole being followed by a simple two-step method to ‘jailbreak’ the OS, you’d think that the company had ironed out most of the remaining bugs – but you’d be wrong.

According to ZDnet’s Ed Burnette, the open-source Linux-based smartphone platform recently shipped in T-Mobile’s G1 handset contains a real doozy of a back door: it would appear that absolutely anything you write, at absolutely any time, will be evaluated as a system command.

The bug, which affects handsets running Android 1.0 TC5-RC29 or earlier, can be demonstrated in a simple way: in any text entry box – even on a webpage or in the address book – hit the ‘enter’ key and type ‘reboot’ followed by ‘enter’ again. If your handset is vulnerable, you’ll see it suddenly decide to restart the OS.

The flaw is even more of an embarrassment when you learn that commands executed in this way run as the ‘root’ user, with complete system access. If you happen to be typing a document on how to hose a Linux system by typing in inadvisable commands, you can expect to learn about this one the hard way.

Source:
http://www.bit-tech.net/news/2008/11/10/android-flaw-executes-typed-text/1