CyanogenMod found logging Android unlock swipe gestures
Posted on 24 October 2012.
CyanogenMod, one of the most popular modified Android firmware on the market, has been found containing code that logs the swipe gestures used by the users to unlock their device.

The offending line of code has been discovered by Gabriel Castro, a developer attached to the CyanogenMod project, and has apparently been added to the firmware source code in August, when un update that made the default grid format for lockscreen gestures configurable.

The unlock pattern was stored directly on the device, but the good news is that the flaw cannot be exploited in extensive attacks. To access the information, an attacker must first gain physical access to the device or its backup.

Still, that leaves plenty of room for exploitation by malicious friends or co-workers, or jealous partners.

According to Castro, the issue can be easily fixed by commenting the code out or just removing the line, and the firmware will not be affected at all.

The project reacted promptly by removing the line in question and pushing out an update that CyanogenMod users are advised to implement as soon as possible.

"The line of code has been introduced by a respectable member of the Cyanogen community and I don't suspect it has been added with malicious intent," Bogdan Botezatu, senior e-threat analyst at Bitdefender, commented for Infoworld. "Most probably, it is a snippet of code used during debugging and forgotten when committing the code."


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th