Slashdot Mirror

← Back to Stories (view on slashdot.org)

Palm WebOS Hacked Via SMS Messages

Posted by Soulskill on from the and-a-sausage dept.

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."

17 of 99 comments (clear)

  1. Lol by Codename+Dutchess · · Score: 2, Funny

    These are always my favorite posts to read. Nothing like hiring 12 year olds to code your software.

    1. Re:Lol by jsnipy · · Score: 4, Insightful

      Its more about testing processes as opposed development processes ("coding").

      --
      -- if you mod me down, I will become more powerful than you can possibly imagine
    2. Re:Lol by 228e2 · · Score: 2, Insightful

      Nah, parent is correct.

      its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.

      --
      Since when does being a Socialist mean 'someone who has a different opinion than me'?
    3. Re:Lol by ravenscar · · Score: 3, Insightful

      Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.

      Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."

      Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.

    4. Re:Lol by FatdogHaiku · · Score: 2, Funny

      Obligatory XKCD

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    5. Re:Lol by bhtooefr · · Score: 2, Funny

      Obligatory post pointing out that funny doesn't give karma.

  2. Wow by coniferous · · Score: 5, Insightful

    I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.

    1. Re:Wow by teknopurge · · Score: 3, Interesting

      There was an SMS exploit for a version of iPhone OS that would brick it, and just checking with a few people there are some nasty 0-days out there for it. At least you can't turn the Palm into a paperweight from 10,000 miles away...

      --
      Website Hosting
  3. WebOS 1.4 by spiderbitendeath · · Score: 5, Interesting

    My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.

    --
    Sometimes when I'm working on projects things disappear, I suspect gremlins.
    1. Re:WebOS 1.4 by X0563511 · · Score: 4, Informative

      1.4 explicitly fixed these issues.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    2. Re:WebOS 1.4 by X0563511 · · Score: 2, Funny

      Indeed. I actually jumped into the developer's IRC channel to check in on this, and one of them told me about it being fixed already.

      I felt like an ass. Thanks, Slashdot.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. Anonymous Coward by Anonymous Coward · · Score: 2, Informative

    This has been fixed with the 1.4 update, not sure why it's news.

  5. Re:Dangerous? by SoTerrified · · Score: 2, Insightful

    What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

  6. Re:Dangerous? by Itninja · · Score: 2, Insightful

    What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  7. Re:Intrepidus are straight up losers. by zullnero · · Score: 2, Informative

    Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.

  8. WebOS does display sanitization by default by ensignyu · · Score: 4, Interesting

    You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.

    http://developer.palm.com/index.php?option=com_content&view=article&id=1756

  9. Nohing to see here, please move along by loftwyr · · Score: 2, Informative

    From the source release:

    (Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)