WebOS SMS vulnerability detailed

April 20, 2010 | 12:53

Tags: #palm-pre #security #smartphone #sms #sms-vulnerability #webos

Companies: #palm

Palm's WebOS platform - the software behind the Palm Pre smartphone, among others - has a rather nasty bug in it which can lead to remote exploitation via SMS.

According to a post on ZDNet's Zero Day blog, the flaw - discovered by security firm Intrepidus Group - stems from the inability of the SMS client within WebOS to perform input validation on received text messages. As a result, the team found "a rudimentary HTML injection bug [that] leads directly to injecting code into a WebOS application" - something Intrepidus describes as "quite dangerous," allowing a single SMS to bring the system to its knees.

It's a pretty serious flaw, made worse by the simplicity of the injection mechanism - one simple text message is enough to bring the system to its knees, or send the user to a malicious website to quietly download a Trojan or other malware.

Sadly, a fix could take a while: the company blames the simplicity - and seriousness - of the hack on the very nature of the WebOS platform itself. Claiming that "these bugs can all be traced back to the fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML," the researchers behind the attack believe that Palm - which is allegedly trying to find a buyer - should have caught the issue in early testing. The fact that current handsets in the wild suffer from such a simple flaw shows, the team claims, that Palm "put almost no thought into security during [its] development of WebOS."

The team has posted a video demonstrating the scope of the vulnerabilities - and thus far Palm hasn't provided a comment as to when the issues raised by Intrepidus might be resolved.

Are you shocked to find such a simple flaw in a supposedly mature, commercially-available mobile platform, or is Intrepidus being more than a little harsh on Palm? Would knowledge of this attack put you off making your next smartphone a WebOS device, or does the platform have bigger issues? Share your thoughts over in the forum.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04