ZD Net reports a very embarrassing security flaw has been found on the Google Android platform. Fortunately, Google has already patched the hole but it was a very nasty one:
It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!
When I first read this I didn’t believe it. Then I read it again, and again, and finally tried it for myself. It’s true. Don’t believe me? Save anything you’re working on (this will reboot your phone!), open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: -r-e-b-o-o-t-. Poof, your phone will reboot. This only works on a real phone, not in the emulator, and only with firmware version 1.0 TC4-RC29 and earlier.