The vulnerability was discovered by researchers Charlie Miller, Mark Daniel and Jake Honoroff from security testing and analysis firm Independent Security Evaluators.
While the three have elected not to disclose the specifics on the flaw until a fix can be issued, they said that a successful exploit could allow an attacker to retrieve all stored information for the victim's browser.
The researchers credited Android for its use of a secure 'sandbox' mode which limits the scope of attacks by cutting off access to outside components, but they also noted what could become a major security hurdle for Android.
The flaw lies within one of the open-source components used by the Android platform, say the researchers.
"The vulnerability is due to the fact Google did not use the most up to date versions of all these packages," the trio noted.
"In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version."
Because Android relies on some 80 different open-source components, keeping track of security disclosures and bug fixes could prove difficult, potentially leaving the platform open to future attacks.
News of the disclosure comes less than one week after the first Android-powered handset hit the US market in the form of the T-Mobile G1. Other vendors, including Motorola and Kyocera are also said to be prepping Android units.
First Android flaws surface
By
Shaun Nichols
on Oct 28, 2008 3:17PM
A trio of researchers have disclosed the first security flaw for the Google Android platform and pointed out a fundamental security problem in the open source process.
