Google Scrambles to Patch Buffer Overrun Exploit in Android G1
Security expert Charlie Miller leverages a flaw within an SDK component of Google's open-source Android operating system. The buffer overrun flaw lets hackers hijack the Web browser on a user's T-Mobile G1 smart phone, which is Google's first big entry into the mobile and wireless game to deliver users mobile Web services. Miller bought a G1 early from a T-Mobile employee on eBay to test his exploit. Google said it is working with T-Mobile on delivering a fix to the device.The T-Mobile G1 smart phone has not even been on the market for one week, but a security expert has already found a significant flaw in the Google Android software that fuels it. The vulnerability, first reported in The New York Times, allows a hacker to hijack a Web browser on a G1 gadget. A user with malicious intent could capture users' user names and passwords for accessing Web sites, such as bank accounts, online retail sites and online auctions.
"I can basically do anything the Web browser has permission to do," said Charlie Miller, principal analyst at Independent Security Evaluators, who wrote an exploit for the flaw based on the Android SDK (software developer kit) Google released to open source. "I can read text messages, read their cookies, see their passwords, watch them surf the Web and watch what they type."