The flaw allows anyone with access to the phone, to locate the data stored on it by using the “find” feature.
“Palm OS Treo smartphones are susceptible to a local information-disclosure vulnerability because the software fails to properly secure access to certain features when locked,” the posting on Symantec’s security focus website said.
“Successfully exploiting this issue allows attackers with physical access to affected devices to obtain potentially sensitive information. This may aid them in further attacks.”
Jamie Cowper, marketing manager EMEA at PGP Corporation, added: “As more people store sensitive data on smartphones such as the Treo, it is imperative that this information receives the same level of protection as data stored on the corporate network, merely locking the device only creates a false sense of security.
“Companies need to extend their IT security policies to workers’ mobile devices, and encryption should be at the heart of these policies. This remains the only way to ensure that data stays completely protected, even if the devices are lost or stolen.”
Palm has yet to issue a patch for the flaws.