HTC acknowledged a vulnerability Thursday that can expose a user's Wi-Fi password and SSID to a malicious application running on the phone.

HTC also said that a fix for the vulnerability has already been pushed to several phones, although others will need to be manually updated. HTC said that more details on the update would be available next week. HTC representatives were unable to be reached at press time to comment on which phones had been patched, which had not, and when those patches would be forthcoming.

Security architects Chris Hessing and Bret Jordan were credited with the vulnerability, which was published on the US-CERT Web site on Thursday.

The affected phones include the Desire HD (including the "ace" and "spade" board revisions), the HTC Glacier, the , , Sensation Z710e, (slideshow below), , , and , according to the published data. The MyTouch 3G and Nexus One are not affected.

"HTC takes customer data security very seriously, an HTC spokesman said in an email. "If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public."

According to the vulnerability details, a malicious application can harvest the Wi-Fi SSID and credentials and export them to the Internet, if certain conditions are met.

"Any Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of the WifiConfiguration class to view all 802.1X credentials and SSID information," the vulnerability said. "If the same application also has the android.permission.INTERNET permission then that application can harvest the credentials and exfiltrate them to a server on the Internet."

HTC has already suffered a major setback with its fight against Apple, that use a data-tapping patent. That patent allows users viewing a Web page with a phone number embedded in it to tap that number and dial it via the dialing application. HTC said it would remove that feature from all of its phones.

Late last year, an update to several Android-based HTC devices resulted in the installation of tools that could collect a vast amount of personal data without permission. HTC and the carriers eventually .