CyanogenMod, a popular open source firmware replacement for Android phones, has patched a hole in its code that was locally logging swipe gestures used to unlock phones. The problem, which stemmed from a line of code that was never intended for release, was fixed in an update posted for download on the firmware’s review site earlier this week.
On the site, developer Gabriel Castro wrote that he was “surprised nobody caught this” and that the problem could be resolved by simply “removing the line without breaking anything.” Castro removed the line of code, which appeared to have been related to a CyanogenMod lock screen update pushed to phones in August.
Even if left unfixed, the problem would require a lot of work to be exploited. According to the International Digital Times, attackers would have to gain physical access to phones with CyanogenMod installed and then access the swipe logs, stored locally on the device.
According to the CyanogenMod’s statistics page, more than 2,500,000 Android users have installed the free, third-party OS replacement to their phones.
Those users who have it installed on their devices can find the latest updates here and a fix for the aforementioned swipe logging flaw here.