Slashdot Mirror

← Back to Stories (view on slashdot.org)

Palm WebOS Hacked Via SMS Messages

Posted by Soulskill on from the and-a-sausage dept.

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."

6 of 99 comments (clear)

  1. Wow by coniferous · · Score: 5, Insightful

    I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.

  2. Re:Lol by jsnipy · · Score: 4, Insightful

    Its more about testing processes as opposed development processes ("coding").

    --
    -- if you mod me down, I will become more powerful than you can possibly imagine
  3. Re:Dangerous? by SoTerrified · · Score: 2, Insightful

    What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

  4. Re:Lol by 228e2 · · Score: 2, Insightful

    Nah, parent is correct.

    its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.

    --
    Since when does being a Socialist mean 'someone who has a different opinion than me'?
  5. Re:Lol by ravenscar · · Score: 3, Insightful

    Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.

    Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."

    Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.

  6. Re:Dangerous? by Itninja · · Score: 2, Insightful

    What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.