bit-tech.net

WebOS SMS vulnerability detailed

WebOS SMS vulnerability detailed

The WebOS platform is host to some pretty serious security flaws according to Intrepidus Group's researchers.

Palm's WebOS platform - the software behind the Palm Pre smartphone, among others - has a rather nasty bug in it which can lead to remote exploitation via SMS.

According to a post on ZDNet's Zero Day blog, the flaw - discovered by security firm Intrepidus Group - stems from the inability of the SMS client within WebOS to perform input validation on received text messages. As a result, the team found "a rudimentary HTML injection bug [that] leads directly to injecting code into a WebOS application" - something Intrepidus describes as "quite dangerous," allowing a single SMS to bring the system to its knees.

It's a pretty serious flaw, made worse by the simplicity of the injection mechanism - one simple text message is enough to bring the system to its knees, or send the user to a malicious website to quietly download a Trojan or other malware.

Sadly, a fix could take a while: the company blames the simplicity - and seriousness - of the hack on the very nature of the WebOS platform itself. Claiming that "these bugs can all be traced back to the fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML," the researchers behind the attack believe that Palm - which is allegedly trying to find a buyer - should have caught the issue in early testing. The fact that current handsets in the wild suffer from such a simple flaw shows, the team claims, that Palm "put almost no thought into security during [its] development of WebOS."

The team has posted a video demonstrating the scope of the vulnerabilities - and thus far Palm hasn't provided a comment as to when the issues raised by Intrepidus might be resolved.

Are you shocked to find such a simple flaw in a supposedly mature, commercially-available mobile platform, or is Intrepidus being more than a little harsh on Palm? Would knowledge of this attack put you off making your next smartphone a WebOS device, or does the platform have bigger issues? Share your thoughts over in the forum.

12 Comments

Discuss in the forums Reply
mi1ez 20th April 2010, 13:20 Quote
Tut tut Palm.

Unimpressed...
DXR_13KE 20th April 2010, 14:49 Quote
How the hell did they manage to do that?
Brooxy 20th April 2010, 15:19 Quote
Having ordered a Pre this morning before this came to bit, i'm hoping it gets resolved quickly...
Floyd 20th April 2010, 15:54 Quote
Wow way to go Palm!
shaffaaf27 20th April 2010, 16:18 Quote
it was fully fixed in the 1.4 update.... this was for 1.3.5.2 and below. way to tell the full story bittech
Stelph 20th April 2010, 16:48 Quote
Quote:
Originally Posted by shaffaaf27
it was fulyl fixed in the 1.4 update.... this was for 1.3.5.2 and below. way to tellt he full story bittech

shaffaaf27 is correct, this is fixed in1.4 and above so Brooxy you should be fine:

http://intrepidusgroup.com/insight/2010/04/webos-examples-of-sms-delivered-injection-flaws/
l3v1ck 20th April 2010, 17:17 Quote
Android, it's the way forward.
shaffaaf27 20th April 2010, 17:21 Quote
Quote:
Originally Posted by l3v1ck
Android, it's the way forward.

merge android with WebOS and you have the perfect OS IMO.
crazyceo 20th April 2010, 17:25 Quote
Quote:
Originally Posted by shaffaaf27
Quote:
Originally Posted by l3v1ck
Android, it's the way forward.

merge android with WebOS and you have the perfect OS IMO.

That will be Windows 7 Mobile and you'll see it in the autumn.
shaffaaf27 20th April 2010, 17:39 Quote
not with its fail multitasking. but i love the whole hubs idea.
eddtox 20th April 2010, 18:47 Quote
Meh. I'll stick with maemo, thank you very much.
HourBeforeDawn 20th April 2010, 19:54 Quote
Thank god this was fixed in 1.4, lol got my Pre Plus last week, first thing I did was update it to 1.4 ^_^ such an awesome little phone.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums