HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits

 As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected phones like the EVO 4G and the Thunderbolt all the way back to the Desire HD. The researchers immediately notified HTC but the manufacturer  waited a whole five months before acknowledging the flaw publicly a few days ago. This might sound a little bit shady but HTC sent out a statement clarifying that this is standard policy to protect customers. It says that it wanted to develop a fix before it dropped the news on the world. Most newer phones have already received their updates over OTA but older ones will get it too eventually. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement:


HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public."