Bluebox Security, a mobile-security start-up, had discovered the vulnerability and were planning to disclose the details of the bug in a presentation at the Black Hat USA 2013 conference. They were in the process of working with Google and some of the mobile carriers to ensure that users would be protected against the bug before the full details hit the street. They didn t get that chance, however, because someone found a pending Android patch online and was able to reverse-engineer it to figure out the vulnerability.
Source: https://threatpost.com/jeff-forristal-on-the-android-master-key-vulnerability-2/101587/