ZTE has confirmed reports that that its Score smartphone has a security hole that allows anyone with the device's hard-wired password to access its root directory. Once in, it's possible to add, remove, or copy any data that you want. It's the sort of route into a device that manufacturers would use in development, and it's not clear if it was accidentally left in or not, although at least one researcher says that it's being used by ZTE and MetroPCS to install and uninstall apps.
The news first broke last week when a user on Pastebin detailed the flaw in a post entitled nice backdoor, ZTE, and since then security researchers have reported that the international version of the ZTE Skate (sold under the name Orange Monte Carlo in some countries) also has the issue. According to Reuters, ZTE's announcement was regarding a single US model, which doesn't rule out the worldwide Skate from having the issue. We've reached out to ZTE and Orange for clarification, and will update you once we hear back.
ZTE Root backdoor, used by ZTE/MetroPCS to install/uninstall apps... why the hell? pastebin.com/raw.php?i=i0FK… @PaulOBrian @TheDeadCpu— Justin Case (@TeamAndIRC) May 14, 2012
Update: ZTE tells Reuters that the company is working on a fix now:
ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future. We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices.