25 comments

[ 4.6 ms ] story [ 65.4 ms ] thread
Wow... that's pretty bad. I just tried it and it works.

I hope they roll out a fix soon -- it's a little scary to think that each keystroke is going to both the current application and an invisible, root-level command prompt.

But I hope that they don't cut off root access!
I'm curious: What would you do with root access that you can't already do with the phone itself?
Routing between 3G and 802.11 comes to mind, although I don't know if the kernel has the right modules.
For example: flash your own image (without root, you can only flash image signed by T-Mobile/Google/HTC; how good is to have access to source code, if you can't build it and run it on real device?), create VPN connections, write useful bluetooth profiles like DUN (tethering done correctly) or A2DP. What you can do with root access is much longer list than what you can do the Google blessed way.
The "if you've done nothing wrong, you've nothing to hide" argument in another disguise.

You're the one (as much as) arguing in favour of expending effort, adding code and complexity to restrict my root access, the burden is on you to justify doing so, not on me to refute it.

Luckily I don't type "sudo rm -rf /" or similar things in normal conversation very often...
True, you wouldn't type a delete command in normal conversation, but you have to feel sorry for the guys in the bug report who were running ssh sessions on their phones... They were typing UNIX commands and thus were at a much higher risk of harm.

You wouldn't need the "sudo" -- it's a root-level prompt.

(Hmm... typing "make me a sandwich" unfortunately has no visible effects...)

Good thing you didn't post this comment from an Android phone... ;-)
I just tried it as well and... it works. It's pretty scary but has some good prank-potential until they fix it :)
If I were a malicious person, I'd head to my local T-Mobile store to `rm -rf /`

But I'm not a malicious person, so I'll only reboot it just to check it out.

Most of what you could hurt is mounted read-only so... probably wouldn't do much harm, but it's a nice thought anyway :)
I thought it was going to call 911.
That would be the second worst. The worst would be if it called 411 when you dialled 911.
I guess even Google can't get the whole OS thing right on the first try.
This probably isn't Google's fault, it's probably the fault of someone on the T-Mobile team or at HTC who accidently left this running on the OS image put on the phones.
That is nowhere near the worst bug ever. But nice headline attention whoring. Did Michael Arrington guest write?
Yeah definitely not. It's not like the girl's ims from the other end executed on the shell.

Seems like it was an easy bug to find and temporarily patch. An official fix will probably come soon.

Type in "cat" on its own and hit enter. It'll hang the underlying shell until this gets fixed.

You'll need to do this after each reboot of the phone.

The worst bug ever is the arithmetic mistake made by a programmer of a FORTRAN program which crashed a probe to Venus. Millions of dollars down the drain just like that, and just a simple programming error.
That may be the most costly bug ever in terms of money, but there have also been a (small) number of human fatalities resulting from software bugs. Those are arguably much worse than the Venus probe.
(comment deleted)
So the worst bug ever is being logged in a as root on my own device? I can see why this may not be a good idea, particularly on a phone, but it's certainly not the worst bug ever as far as I'm concerned. This is blown out of proportion.