The latest version of Google Android has failed to fully fix a previously noted flaw.
The vulnerability was first discovered in Android 2.2 last year, and Google promised to patch it in the next version. However, a researcher has revealed the hole still exists in 2.3 on Google's own Nexus S handset.
"Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed," wrote Xuxian Jiang, a assistant professor at NC State University.
"We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," he said.
If a user is tricked into visiting a malicious site, the flaw could let hackers view any files stored on the SDcard, as well as view a list of apps and upload them to a remote server.
Jiang noted that because Android is sandboxed, the attack can only access a few files other than those on an SDcard.
The researcher said he had seen no attacks using the flaw yet, and noted Google has again promised a fix will be included in the next major release of the mobile OS.
Despite Google's failure to fix the flaw the first time around, Jiang praised the company for its quick response. "From the interaction, I can tell that it took this issue seriously and the investigation was started immediately without any delay."
A spokesperson for Google said: "We've incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone. We're in communication with our partners."