It's such a security fail... So big that I doubt it's true. Without any proof, explanation... has anybody been able to reproduce it?
If it's true, it would a great opportunity to see how Google/ZTE reacts to this vulnerability. How much time will ZTE take to correct this and issue an update? And also, will be able Google to stop applications who exploit this vulnerability to go public in the Market? I sincerely doubt it.
By fixing it, I assume they mean removing this backdoor and put in a new one? If they remove it altogether, there's not much reason to have it there in the first place.
Does the reason for the backdoor really have to be to allow malicious remote access (hence requiring a replacement backdoor)?
I highly doubt, considering the obvious nature and simplicity of the binary, that clandestine remote access (i.e. by the Chinese government or other such tinfoil hat theories) was the idea.
Especially given the name of the binary, I suspect some ZTE engineer was tasked with writing a desktop or mobile sync application that they decided needed root access for some reason. Said engineer then made a major mistake and decided a non-unique plaintext secret stored in the binary was adequate security. This happens all the time - see the recent RuggedCom "backdoor" fiasco [0]. It's happened at places I've worked, too, and it's not exactly new in the industry as a whole.
An engineer was uninformed or ignored security best practices and wrote code with a vulnerability. The vulnerability will be patched out. It's a big deal and it sucks (why were all setuid binaries not audited, at least to the level that basic oversights like this one would be noticed?), but at least in my mind it's not some kind of secret government control backdoor conspiracy - it's just a horrible bug.
I understand that, but I meant it more in a philosophical way. The backdoor is not a bug (it's hard for me to imagine that the backdoor was included by accident), so you can't fix it. You can only remove it.
Also, it's not a vulnerability either (from ZTE's point of view). It's a feature.
If it's true, it would a great opportunity to see how Google/ZTE reacts to this vulnerability. How much time will ZTE take to correct this and issue an update? And also, will be able Google to stop applications who exploit this vulnerability to go public in the Market? I sincerely doubt it.