Slashdot Mirror
Palm WebOS Hacked Via SMS Messages
gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."
I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.
My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.
Sometimes when I'm working on projects things disappear, I suspect gremlins.
Its more about testing processes as opposed development processes ("coding").
-- if you mod me down, I will become more powerful than you can possibly imagine
You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.
http://developer.palm.com/index.php?option=com_content&view=article&id=1756