Passing a vulnerability info to the group... Best,
Philippe Univ. of TN -------- Original Message -------- Subject: [eduroam] Security vulnerability on several HTC Android devices Date: Thu, 02 Feb 2012 10:27:06 +0100 From: Stefan Winter <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Hello, our colleagues from ULAKBIM (thanks!) have made me aware that some end users' login credentials are at risk when they are using a set of HTC devices running Android. A good description of the problem is for example in the US-CERT advisory, released yesterday: http://www.kb.cert.org/vuls/id/763355 In short, the HTC-flavour of Android firmware sometimes reveals the SSID, username and password of a user to any other app on the device which asks for WiFi Properties. This seems rather serious - if an attacker sees the SSID "eduroam" together with a pair of valid credentials he will immediately know where to use the hijacked credentials. I suggest that everyone makes their IdPs aware of this issue, so that they can decide if they think it's worth informing their own end users. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
