A security researcher in Seattle has identified yet another program running in the background of some smartphones in the name of collecting quality of service information. This time the phone is Motorola's (NASDAQ:GOOG) Droid X2, and the program collects data that includes some user passwords—the researcher confirmed that his YouTube password was slurped up—which then are sent back to Motorola over an unencrypted connection.
Motorola doesn't have any real use for YouTube passwords, of course. But the fact that it's collecting them anyway suggests that whoever designed the software is really unclear on the security problems in slurping up data by default. Ironically, the one kind of data security that retailers are most concerned about, PCI, isn't strictly an issue if a customer uses a Droid X2 for mobile commerce, since the data leak is out of PCI scope—it's on the customer side. But a chain's employees might be sending their passwords to critical systems using a Motorola phone too, potentially exposing all the chain's systems to attack.