Linked by David Adams on Sun 9th Nov 2008 16:50 UTC, submitted by Hakime
Bugs & Viruses There's a bug in Android that crosses over from the realm of serious into self-parody: "It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!"
Thread beginning with comment 336717
To read all comments associated with this story, please click here.
Not an Android issue
by kwag on Sun 9th Nov 2008 17:18 UTC
kwag
Member since:
2006-08-31

This is an OS issue. Not an Android issue.
Read the article!

Reply Score: -1

RE: Not an Android issue
by buff on Sun 9th Nov 2008 17:32 in reply to "Not an Android issue"
buff Member since:
2005-11-12

This is an OS issue. Not an Android issue.

You are right about this. I was reading in the Android forum and people were discussing how debugging code in the kernel was left in which pipes text entry into the shell. The debugging code should have been removed or disabled before deployment. Oops.

Reply Parent Score: 2

RE: Not an Android issue
by sbergman27 on Sun 9th Nov 2008 17:39 in reply to "Not an Android issue"
sbergman27 Member since:
2005-07-24

This is an OS issue. Not an Android issue.

Besides... this is open source. Our security bugs can be as egregious as you please. But as long as a patch is released quickly we can pat ourselves on the back and collect our accolades. ;-)

Google started rolling out the patch yesterday.

Edited 2008-11-09 17:44 UTC

Reply Parent Score: 4

RE[2]: Not an Android issue
by mjg59 on Sun 9th Nov 2008 20:55 in reply to "RE: Not an Android issue"
mjg59 Member since:
2005-10-17

It's nothing to do with the kernel, other than the kernel working as designed. Input event devices are multiplexed through /dev/console and passed to the foreground virtual terminal. If you've launched a graphical environment in that terminal then the keyboard events will be passed back to it. If you also happen to be running a shell underneath that terminal, then bad things are obviously going to happen. The easy workaround is not to run a shell on that terminal. The correct one (which then works independent of the shell) is to put the console in KD_RAW mode, which prevents the passthrough of events. We hit the same issue in X during the migration from the old kbd driver to the new evdev one.

Reply Parent Score: 2