RIM has told BlackBerry users to cripple their phones’ Web browsers — or turn them off altogether — to avoid a security hole uncovered by participants in an annual hacking competition.
A team at Pwn2Own 2011 took advantage of BlackBerry’s recent switch to using a WebKit browser on its phones, reports our sibling site ZDNet. Attacking a BlackBerry Torch 9800, they were able to nick the phone’s contact list and library of photos from the memory card. Emails and other private information stored on the device’s internal storage weren’t affected.
RIM has written a response to the hack that admits the vulnerability exists, although it hasn’t received any reports of anyone using the hack to grab data off BlackBerrys in the real world. It’s worried enough, now that the exploit is out in the open, to suggest some strong medicine.
The hack requires that you visit a malicious website to set it off, so be careful where you roam on your phone.
But RIM also suggests two more serious option. Solo users can disable JavaScript in their phone’s browser, which will cripple some websites. Or, if the Berry is managed by a company using BlackBerry Enterprise Server, its IT department can remove the browser from the phone altogether.
Other software that has fallen at Pwn2Own include Apple’s Safari browser — which, like the latest BlackBerry browser, is built with the WebKit rendering engine.
The Safari browser on the Apple iPhone 4 was also successfully targeted, the Register reports. But Apple had already fixed the flaw in the iOS 4.3 update released a day before the contest began. Software used in the contest is frozen to weeks before the event to allow participants to prepare.