News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Worst-ever software security blooper?

Nov 11, 2008 — by Eric Brown — from the LinuxDevices Archive — views

T-Mobile has issued an over-the-air fix for a laughable Android security bug that caused anything typed into its G1 phone to be interpreted by a root shell process. Prior to the fix, hackers briefly enjoyed root shell access, leading to such fun as Debian installations on SD cards.

The Android bug has to rate as one of the great software bloopers of all time. Whether snuck into the code by a Google employee bent on mischief, or simply a vestige of Google's debug process, the bug was apparently caused by these lines in the G1's init.rc:


## Daemon processes to be run by init.
##
service console /system/bin/sh
console

T-Mobile quickly patched the gaping hole, but not before widespread shenanigans ensued. One report on Google's Android Bug listing describes a user text messaging advice to his girlfriend comprised of the single word “reboot,” only to find his phone rebooting. Surprise!

Subsequently, the bug report was apparently marked as a security issue, in order to make it inaccessible to the public. However, Pandora had already left the building, possibly with Elvis in tow, thanks to a post to the XDA-Developers forum. This, in turn, led to at least one enterprising user posting a howto on gaining a root shell. Next, another G1 owner thoughtfully documented the process of installing Debian on a 16GB SD card, and booting the G1 into it.

Ah, but you can only have so much of a good thing. T-Mobile bottled up the fun with an “RC30” OTA (over-the-air) firmware fix that closed down the laughable loophole.

Although the HTC G1 is open to Java development, using freely downloadable tools released under an Apache 2.0 license, G1 owners do not get root access permissions to their actual G1 devices.

At least, not anymore.


 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.