Palm Pwned: Researchers Hack WebOS With Text Messages

Security researchers at the Intrepidus Group have hacked into Palm’s new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities.

Security researchers at the Intrepidus Group have hacked into Palm’s new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities.

Hackers at the security consulting firm found that the WebOS SMS client did not properly validate input/output validation on any SMS messages sent to the handset.

This led to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over a SMS message).

The researchers were able to send a number of text messages to a device running WebOS to perform HTML injection attacks that opened a Web site by simply reading a text message or, worse, turned off the handset’s radio.

“These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML. This also means that WebOS applications are subject to the numerous web applications vulnerabilities that any seasoned penetration tester would be all too familiar with,” the researchers warned.

The research team said the flaws were uncovered “within a matter of hours,” suggesting that Palm “put almost no thought into security during their development of WebOS.”

All of the low hanging fruit discovered should have been identified in the most basic of threat models, which should have been performed during the very early development stages of WebOS, way before any code was written. If they were, then we would imagine that slight changes to the underlying architecture of WebOS could have been implemented to protect against common web application vulnerabilities that are found in WebOS applications. Or, at the very least, common web application vulnerabilities would not have surfaced in WebOS applications written by Palm themselves.

The team created a video (embedded below) to demonstrate the HTML injection attack vectors.

While the research was limited to the Palm WebOS platform, Intrepidus cautioned that any app installed via the market place (even other Palm developed apps) may be vulnerable to this or other common web applications vulnerabilities.

Suggested articles

Discussion

  • Anonymous on

    This is on an old version of WebOS.

  • Anonymous on

    talk about kicking a dead horse....

  • moxy on

    The bugs in 1.3.5 are fixed BECAUSE INTREPIDUS FOUND THEM.

    They can't responsibly publish until the handset manufacturers ensure the old versions are no longer in the field.

    Ignorance everywhere! Fun video though.

  • Anonymous on

    @Anonymous...

    The reason this is on an old version of WebOS is because they disclosed the vulnerabilities to Palm who has since fixed them

  • Anonymous on

    So...don't release old info as new and exciting stuff. It's fixed, been fixed for a while. And unless you're a total moron and doctoring yourself down to a pre-fix rev (i.e. - <1.4.0) you're good. This article is not only FUD, its rehashed, overstated FUD.
  • w3cvalidation on

    Nice information, I really appreciate the way you presented.Thanks for sharing..

  • Anonymous on

    useless information, not even valid anymore. Waste of time!

  • Anonymous on

    Perhaps useless to hackers, but maybe a useful lesson to others who might be about to make the same mistakes.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.