Several months ago, some security researchers found a flaw in some of HTC's Android-based smartphones that allowed the phone's WiFi hardware to leak SSID and password information to hackers. HTC was told about this problem but basically ignored the flaw. This week, HTC finally admitted to the issue and said it would release patches for the smartphones that had the WiFi flaw.
So why did HTC wait months before admitting to the problem and fixing it? Engadget got a statement from the company which basically said they wanted to develop a fix before alerting consumers to the issue. The full statement is as follows:
HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public.
HTC's support page states that most of their Android phones have had the WiFi flaw fixed via an automatic update but that some of their phones will need to be manually updated to deal with the issue. It adds, "Please check back next week for more information about this fix and a manual download if you need to update your phone."