Some Android smartphones made by HTC are collecting and storing user data in such a way as to make them vulnerable to virtually anyone who cares to look.
The vulnerability first described by Trevor Eckhart afflicts a number of HTC phones and gives would-be attackers access to such personal information as email addresses and phone numbers, text message and location-based data through Internet-connected apps installed on the devices. Phones thus far found to be vulnerable are Evo 3D, the Evo 4G and the Thunderbolt
Researchers Artem Russakovskii and Justin Case joined Eckhart in investigating and documenting the flaw here.
According to them, HTC introduces collects 'lots' of information. but fails to properly protect it.
Any app on affected devices that requests a single android.permission.INTERNET can gain access to the list of user accounts, including "email addresses; the last known network and GPS locations and a limited previous history of locations; phone numbers from the phone log; SMS data, including phone numbers and encoded text and system logs which include everything your running apps do and is likely to include email addresses, phone numbers, and other private info."
HTC said it is investigating the claims.