Folks buy the highly secure Blackphone handset for the warm and fuzzy feeling that nobody can see their stuff, but that trust was misplaced until recently, according to security expert Mark Dowd. He found a vulnerability in the text message application of the phone that let attackers steal messages, contacts and location info, and even execute malicious code to gain full control. All a bad guy needed to know was the device’s “SilentCircle” account info or phone number.
According to his blog, the instant messaging application (included with the Blackphone or available on Google Play) had a so-called type confusion vulnerability flaw. That means the app could mistake one type of data for another, and allow hackers to overwrite memory and replace it with malicious code. Luckily, Dowd had been probing his recently purchased Blackphone and discretely reported the bug to the company, which has now patched it. Considering the way Blackphone markets itself “to address modern privacy concerns,” however, we’d expect hackers — both black and white hat — to keep on testing it.
Via: Ars Technica
Source: Azimuth Security