The last few months have not been kind to HTC on the security and privacy front. First there was a bug in HTC's Sense skin that allowed for remote file access on a handful of smartphones, then the whole Carrier IQ debacle, which was demonstrated mostly on HTC's hardware. The latest snafu was uncovered by the United States Computer Emergency Readiness Team, which states that a considerable amount of HTC phones are running flawed software that allows third-party applications access to encrypted WiFi passwords. The US-CERT team published their findings on the Homeland Security website yesterday.
The flaw is a minor one, allowing any application access to stored SSID passwords by using the "android.permission.INTERNET" permission. Affected phones tested by the researchers include the Desire HD, Glacier (T-Mobile MyTouch 4G), Droid Incredible, Sensation 4G, ThunderBolt, Desire S, EVO 3D and EVO 4G. While US-CERT recommends visiting the HTC support website for update instructions, HTC has said nothing as of yet about the security hole. Based on their behavior with the last security alert, you can expect them to update the affected handsets within the next few weeks.
Users shouldn't panic: there's been no documented case of apps or malware taking advantage of this loophole as of yet, and it would take some doing for an unscropilous developer to take advantage of it for personal gain. That said, it might be best to delete stored WiFi SSDs until the update and rely on a 3G or 4G connection for data, especially if you access sensative networks at home or at work. US-CERT notes that the Nexus One and T-Mobile MyTouch 3G (HTC Hero), both of which run mostly unmodified Android code, do not suffer from this issue. That means that if you're running a custom ROM built from Android's open-source packages, you're probably safe as well.