Security expert who ‘hacked’ into Xiaomi server threatened with legal action by Chinese company

A security researcher’s claim about having hacked servers belonging to Xiaomi, is being called a hoax by the Chinese company which is also threatening to seek legal action against the involved parties. The security expert who supposedly managed to discover a zero-day vulnerability on Xiaomi’s website and acquire the credentials of millions of user accounts and logs, has been identified as Chen Huang.

A zero-day attack takes advantage of a previously unknown vulnerability in an application or OS for which developers have not released a patch. Huang was apparently scheduled to present a paper on this at a security conference in India. The Hacker News reports that the talk will be kept on hold in order to give Xiaomi time to investigate the matter. The company is however, hinting at the claim to be an attempt to malign its reputation.

xiaomi-phone

Xiaomi has a lot to lose in case such allegations are proved true. It was recently seen trying to disprove accusations of smartphone user data secretly being sent to its servers in Beijing. The IAF was largely responsible for settling the matter by readily informing everyone including yours truly, that its alert about the company’s phones being a security threat was based on an outdated memo circulated amongst its personnel.

Market research firm IDC, paints Xiaomi as the third largest smartphone vendor in the world, after Samsung and Apple. The Chinese company’s climb to success has been dotted by controversy and it can’t afford to keep expending resources on putting out rumors all the time. It insists that it faced only one security incident involving a 2-year old user account file having been leaked in May of this year.

Also see: IAF says its Xiaomi advisory was an internal memo, no ban on Chinese company

The file is said to have held information from customer accounts registered before 2012 in an old version of the Xiaomi user forum. A safer system was launched within a month, making the data obsolete, according to the OEM. But users were asked to change their passwords as a precautionary measure anyway.