The offending line of code has been discovered by Gabriel Castro, a developer attached to the CyanogenMod project, and has apparently been added to the firmware source code in August, when un update that made the default grid format for lockscreen gestures configurable.
The unlock pattern was stored directly on the device, but the good news is that the flaw cannot be exploited in extensive attacks. To access the information, an attacker must first gain physical access to the device or its backup.
Still, that leaves plenty of room for exploitation by malicious friends or co-workers, or jealous partners.
According to Castro, the issue can be easily fixed by commenting the code out or just removing the line, and the firmware will not be affected at all.
The project reacted promptly by removing the line in question and pushing out an update that CyanogenMod users are advised to implement as soon as possible.
"The line of code has been introduced by a respectable member of the Cyanogen community and I don't suspect it has been added with malicious intent," Bogdan Botezatu, senior e-threat analyst at Bitdefender, commented for Infoworld. "Most probably, it is a snippet of code used during debugging and forgotten when committing the code."
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.