HTC has confirmed that the way some of its Android smartphones handle requests for passwords allows applications to obtain the passwords for Wi-Fi networks that the phones are connected to. If that application also has permission to connect to the Internet it could take that information and transfer it to an unknown server.

Researchers discovered that applications with the android.permission.ACCESS_WIFI_STATE permission could obtain the password, user name and other settings by executing the .toString() method of the WiFiConfiguration class. On most Android devices, the .toString() leaves the password field blank or marked with a "*" to show a password is set, but on the affected HTC devices, the password is shown in clear text.

The flaw was found in September 2011 and the researchers have been working with Google and HTC to resolve the issue. Google has changed the Android code to better protect the credentials store and has performed a code scan of applications in the Android Market and found no applications that exploit the vulnerability there, though this may not apply to other sources of Android applications.

HTC has released updates for the affected smartphones – Desire HD (Version FRG83D, GRI40), Glacier (FRG83), Droid Incredible (FRF91), Thunderbolt 4G (FRG83D), Sensation Z710e (GRI40), Sensation 4G (GRI40), Desire S (GRI40), EVO 3D (GRI40) and the EVO 4G (GRI40). HTC says most devices will have already received the fix with over the air updates but some devices will need a manual update and asks users to check the help page for more information in the coming week.

(djwm)