Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.
Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the
Austin Hackers Association
meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phones files or injecting a remote JavaScript backdoor into the phones Contacts Application to build a botnet.
This is a simple attack process with severe impact to end users. In the condition of remote command and control, this could [be] used in many of the same ways as a botnet: submitting spam, clickjacking, ad revenue, Barrera says. The researchers tested exploits on Palm Pre running WebOS version 1.4.X.
Meanwhile, HP has fixed the Contacts application issue as of the WebOS 2.0 beta, but the researchers have found a mix of other bugs, including ones of the floating-point overflow, denial-of-service, and cross-site scripting variety, in the new beta version of the smartphone platform.
Some inherent design elements of WebOS leave it prone to XSS and other attacks, they say. Any mobile computing device with Internet connectivity running WebOS with its current feature set would be vulnerable, Herrera says.
WebOS is less secure than other smartphones mainly because the intent of the environment was to simplify application development, he says. The WebOS platform cuts out the middleman; the delivery mechanism is the device compromised since the local system commands can be leveraged by Web technologies like JavaScript, Herrera says. This is not to say that other mobile operating systems are devoid of flaws. It just means that [Palms] intent of creating an environment to ease application development also resulted in easing the development of exploitation.
The researchers found that the Company field in the Contacts app window was unsanitized, so they were able to inject code that ultimately grabbed the Palms database file with emails, email addresses, contact list, and other information. In a second attack, they inserted a JavaScript hook to use keyloggers and other tools. That could then be used by bad guys to build a mobile botnet, for instance.
By not properly sanitizing user-supplied content prior to it being included within the user interface, conditions are created where user-supplied content can execute commands against the system and modify the user experience, Herrera says. Developers should keep in mind that data from third-party sources can be dangerous, whether its from a company or an anonymous user. Measures should be put in place to validate and modify any form of malicious content to prevent local exploitation.
To date, most real-world attacks on smartphones have been relatively benign, but security experts such as Herrera and Barrera predict that all will soon change as these devices get smarter and become more of a work tool for mobile users.
We believe there is more work to be done in the mobile sector with regard to security. We hope that our work helps end users understand the risks related to using mobile devices for day-to-day activities and communication, Barrera says.
This isnt the first time Palm Pre smartphones have been hacked by researchers. A
proof-of-concept attack exploiting an email flaw
was released last year, and an
SMS injection flaw
was demonstrated earlier this year.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Uncover Holes In WebOS Smartphones