WebOS SMS vulnerability detailed

Gareth Halfacree, Bit-Tech, 4/20/2010

Palm’s WebOS platform – the software behind the Palm Pre smartphone, among others – has a rather nasty bug in it which can lead to remote exploitation via SMS.

According to a post on ZDNet’s Zero Day blog, the flaw – discovered by security firm Intrepidus Group – stems from the inability of the SMS client within WebOS to perform input validation on received text messages. As a result, the team found “a rudimentary HTML injection bug [that] leads directly to injecting code into a WebOS application” – something Intrepidus describes as “quite dangerous,” allowing a single SMS to bring the system to its knees.

It’s a pretty serious flaw, made worse by the simplicity of the injection mechanism – one simple text message is enough to bring the system to its knees, or send the user to a malicious website to quietly download a Trojan or other malware.

Sadly, a fix could take a while: the company blames the simplicity – and seriousness – of the hack on the very nature of the WebOS platform itself. Claiming that “these bugs can all be traced back to the fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML,” the researchers behind the attack believe that Palm – which is allegedly trying to find a buyer – should have caught the issue in early testing. The fact that current handsets in the wild suffer from such a simple flaw shows, the team claims, that Palm “put almost no thought into security during [its] development of WebOS.”

The team has posted a video demonstrating the scope of the vulnerabilities – and thus far Palm hasn’t provided a comment as to when the issues raised by Intrepidus might be resolved.

Are you shocked to find such a simple flaw in a supposedly mature, commercially-available mobile platform, or is Intrepidus being more than a little harsh on Palm? Would knowledge of this attack put you off making your next smartphone a WebOS device, or does the platform have bigger issues? Share your thoughts over in the forum.

Related posts:

1. HP Drops Palm From webOS’s Branding, Launches HP webOS 2.0 Matt Burns, TechCrunch, 10/19/2010 HP just announced the next generation webOS and it’s a doozy. This platform now has all...
2. HP confirms WebOS smartphones coming soon Tony Bradley, PC World, 10/7/2010 To paraphrase American author Mark Twain, the rumors of the death of WebOS have been...
3. Palm Announces Video Recording for webOS Eric M. Zeman, iPhoneScoop, 1/7/2010 Today Palm announced that it is adding the ability to record and share video with...

• TwitterCounter

• Categories

  • Mobile Technology (1318)
    • Android (516)
    • Blackberry (254)
    • iPhone (625)
    • Palm (HP) (148)
    • Symbian (90)
    • WinPhone (99)

• Archive

  Select Month February 2012  (2) January 2012  (19) December 2011  (15) November 2011  (18) October 2011  (15) September 2011  (26) August 2011  (27) July 2011  (14) June 2011  (22) May 2011  (21) April 2011  (20) March 2011  (24) February 2011  (19) January 2011  (27) December 2010  (22) November 2010  (30) October 2010  (31) September 2010  (37) August 2010  (30) July 2010  (22) June 2010  (46) May 2010  (46) April 2010  (50) March 2010  (119) February 2010  (132) January 2010  (112) December 2009  (126) November 2009  (89) October 2009  (101) September 2009  (36) August 2009  (8) June 2009  (12)

• Tag Cloud

  3G 4G API AT&T Bluetooth CDMA Cisco Clearwire Cloud CTIA EDGE Ericsson FCC Femtocell Flash GPS GSM Hotspot HP HSPA HTC HTML5 IM JailBreak Linux LTE Malware MiFi MMS Motorola NFC Nokia Push Samsung SDK Skype SMS Sprint T-Mobile Tether Verizon Vodafone VoIP WiFi WiMax

• UserOnline

  7 Users Online