Client Login
 Quick Contact
Palm WebOS cracked via text message
Category : General 23 Apr 2010 07:29 AM | Industry News
The team at Intrepidus Group worked on a Palm Pre running the 1.3.5. version of the webOS operating system and within hours found it open to many common vulnerabilities due to its inherent design.
In WebOS the platform is a Web browser and applications are HTML and JavaScript. This is appealing in a sense, but experience tells us that Web browsers are difficult to secure. In a sense, all Intrepidus showed in a demo video is one problem - the WebOS SMS client fails to properly scrutinize and sanitize messages before displaying them in the browser interface.
Researchers who took a look at Palm’s OS found that they were able to crack it with a single text message. The researchers – from the Intrepidus Group – experimented with the Palm Pre mobile phone, running the 1.3.5 webOS version.
Intrepidus Group, a security and risk company, found a flaw in Palm's WebOS. Due to a flaw in the way SMS is implemented on the device, the researchers were able to send a specially formed SMS message containing HTML set to execute commands.
The team found that the SMS system did not perform input/output validation. This allows an HTML injection attack by inserting an iFrame into the message, which is automatically activated, which the team demonstrated in a video.
TAGS : Web, Palm Inc., Flaw.