Could You Get a Virus in WebOS?

T3CK · 09/11/2009, 12:37 PM

I just thought about it... You know those pesky websites that try to instal backdoors in your PC. What if I go to that site with my Pre?

I mean, this is an OS that could be easy to hack, due to the lack of security. You can gain root access easy and you start spamming or sending other virus without the owner knowing.

gabbott · 09/11/2009, 12:44 PM

Just because it is easy to "hack" doesn't mean it lacks security.

Eugefunk84 · 09/11/2009, 12:47 PM

actually, thats exactly what it means....

a script can easily execute everything you do to root your phone, and at that point, it can wreak havoc. it can delete apps, steal your contact info, and so on

T3CK · 09/11/2009, 12:50 PM

Ya, that's what I'm worried about.

alpinejag · 09/11/2009, 12:55 PM

The malware those sites try to sneak in is likely specific to Windows. Most exploit problems in specific browsers, generally IE.
I guess if there is any malware around that exploits WebKit and Linux it could be possible to get it on the Pre.

Kasracer · 09/11/2009, 12:58 PM

Not possible.

First off, those sites are 99.99% of the time using Windows vulnerabilities and / or Windows binaries. No way they could even run.

Secondly, the Web Browser is sandboxed (just like everything else). You cannot connect to the Mojo framework from within a web page.

Thirdly, even webOS applications are sandboxed. You can't just execute framework commands from them. You also cannot execute scripts to root your phone from them.

Rooting takes place when your Firewall is partially disabled (i.e. developer mode) and you run a script via SSH on your phone.

Stop being paranoid.

squeff · 09/11/2009, 01:02 PM

If you are concerned about such things (and, at some level, aren't we all?), then do not install anything on your Pre. Most definitely not homebrew, but even stuff from the app catalog (how much do you REALLY trust Palm to confirm that there aren't hidden bombs?).

Because, once you install something, it can do all sorts of nasty things, such as randomly call people in your phone book, spam those in your e-mail list, etc.

And this is true for non-rooted devices, too. As long as you install things on your Pre, you run the risk.

Now, what about visiting web sites? Can that do it? Maybe. I don't know enough about the browser to know if there are holes, but chances there are. If there is a hole, at some point, someone will exploit it.

This, in fact, was the reason that Palm released that emergency OS release to fix the hole that allowed an ipk install via e-mail. And why, we hope, anything that's added to allow software downloads from the browser, are very limited.

Leathal · 09/11/2009, 01:02 PM

Your computer may be broadcasting an IP Address!

T3CK · 01:07 PM

Quote:

Originally Posted by alpinejag

The malware those sites try to sneak in is likely specific to Windows. Most exploit problems in specific browsers, generally IE.
I guess if there is any malware around that exploits WebKit and Linux it could be possible to get it on the Pre.

Exactly. Because a hacker knows it is more difficult to take over a Linux OS.
However, for WebOS, all I have to do is download a script into /tmp directory and make it execute as a service when you reboot your Pre (very easy to do since the root user is open to everyone). That will import all needed files to gain complete invisible access and from there ... sky is the limit.

I'm very comfortable with Linux, I build my own RPM's and do pretty much everything on this OS. That is the main reason also why I got the Pre. The only way you could protect your Pre is by adding a custom passord to root user. That will take care of the issue. However, that will disable future upgrades because root is protected...

Kasracer · 09/11/2009, 01:03 PM

Quote:

Originally Posted by squeff

Because, once you install something, it can do all sorts of nasty things, such as randomly call people in your phone book, spam those in your e-mail list, etc.

The SDK currently doesn't allow access to your list of contacts.

squeff · 09/11/2009, 01:07 PM

Quote:

Originally Posted by Kasracer

The SDK currently doesn't allow access to your list of contacts.

People that are looking to do mischief or prove their powers don't let SDK limits stop them.

Mark my words, someone will figure out how to grab e-mail addresses and phone numbers.

DavidRR · 09/11/2009, 01:08 PM

Quote:

Originally Posted by T3CK

Exactly. Because a hacker knows it is more difficult to take over a Linux OS.

It's actually real easy to hack a linux box, most people don't fool with it though, since the majority of users are smart enough to not do things to get hacked. Windows is a rich environment of people who will click on links, or open attachments that they shouldn't.

Linux is an Open OS, a good developer can easily find any holes (and there are lots of know holes in linux) and exploit them.

T3CK · 09/11/2009, 01:09 PM

Quote:

Originally Posted by Kasracer

The SDK currently doesn't allow access to your list of contacts.

Who is stopping the hacker to build a script that sends a virus to all your contacts? The same script will use your phone email app to send to hacker the contact details, is the same time it sends the virus to your friends. It is really not difficult.

egaudet · 09/11/2009, 01:11 PM

Quote:

Originally Posted by T3CK

Exactly. Because a hacker knows it is more difficult to take over a Linux OS.
However, for WebOS, all I have to do is download a script into /tmp directory and make it execute as a service when you reboot your Pre (very easy to do since the root user is open to everyone). That will import all needed files to gain complete invisible access and from there ... sky is the limit.

I'm very comfortable with Linux, I build my own RPM's and do pretty much everything on this OS. That is the main reason also why I got the Pre. The only way you could protect your Pre is by adding a custom passord to root user. That will take care of the issue. However, that will disable future upgrades because root is protected...

Why would you download and run a script that you don't know anything about? There is no way I know of from getting accross the web through the browser into your shell to execute commands.

What are you saying here?

T3CK · 09/11/2009, 01:14 PM

Quote:

Originally Posted by DavidRR

It's actually real easy to hack a linux box, most people don't fool with it though, since the majority of users are smart enough to not do things to get hacked. Windows is a rich environment of people who will click on links, or open attachments that they shouldn't.

Linux is an Open OS, a good developer can easily find any holes (and there are lots of know holes in linux) and exploit them.

I totally agree. I'm sure you helped site owners who were getting hacked recently through /var/www/html/page dirs (chmoded at 0777, instead of being owned by a specific user). It is crazy sometimes how you can overlook simple details.

egaudet · 09/11/2009, 01:15 PM

Quote:

Originally Posted by T3CK

I totally agree. I'm sure you helped site owners who were getting hacked recently through /var/www/html/page dirs (chmoded at 0777, instead of being owned by a specific user). It is crazy sometimes how you can overlook simple details.

777 is not a simple detail...

T3CK · 09/11/2009, 01:16 PM

Quote:

Originally Posted by emoney_33

Why would you download and run a script that you don't know anything about? There is no way I know of from getting accross the web through the browser into your shell to execute commands.

What are you saying here?

You don't download any script. I go to your Pre, through your public IP and upload myself a script into your /tmp folder. Then, it will execute by itself at next boot. You have no idea I'm on your phone, during all this time.

ssrjazz · 09/11/2009, 01:16 PM

Quote:

Originally Posted by DavidRR

It's actually real easy to hack a linux box, most people don't fool with it though, since the majority of users are smart enough to not do things to get hacked.

Almost every 'hack' out there for linux involves gaining root access to a shell via some vulnerable service running on that box. So either you have to have local access to it, or find and exploit a vulnerability in apache, sshd, or some other program. If you're not exposing any services over EVDO or wifi, then you'll most likely be fine.

Not to say it isn't still possible. There may be holes in the sdk or some other app you run that is exploitable by visiting a malicious web page, email attachment, picture or otherwise. Still far less likely to get a compromise on your Pre than a windows desktop machine.

egaudet · 09/11/2009, 01:18 PM

Quote:

Originally Posted by T3CK

You don't download any script. I go to your Pre, through your public IP and upload myself a script into your /tmp folder. Then, I execute it or simply make it execute at boot. You have no idea I'm on your phone, during all this time.

How do you "go to my Pre"?

Am I on wifi, with ssh server setup? How do you know my password?

squeff · 09/11/2009, 01:18 PM

Quote:

Originally Posted by Kasracer

The SDK currently doesn't allow access to your list of contacts.

Besides, even if it were totally impossible to get contact information, this is actually simple to work around.

There are several "contacts" applications out there, including the excellent QuickContacts app. These apps, at the core, are about getting a user to select contacts and giving access to that contact data to the app.

All an evil-doer needs to do is write their own "contacts" app. Or take an existing one, for that matter. Then, let the user load up their "quick contact" list with all the contacts the user wants. Meanwhile, the app is also collecting phone numbers and e-mail addresses that will be used, later, for various purposes.

Social engineering is a lot more powerful than any SDK.

09/11/2009, 12:37 PM	#1 (permalink)
T3CK Member Join Date: Jun 2009 Location: Montreal, Canada Posts: 423 Likes Received: 11 Thanks: 30 Thanked 38 Times in 25 Posts	Could You Get a Virus in WebOS? I just thought about it... You know those pesky websites that try to instal backdoors in your PC. What if I go to that site with my Pre? I mean, this is an OS that could be easy to hack, due to the lack of security. You can gain root access easy and you start spamming or sending other virus without the owner knowing. __________________ Floren Munteanu why queued - My blog
	Liked by

09/11/2009, 12:44 PM	#2 (permalink)
gabbott Member Join Date: May 2009 Posts: 986 Likes Received: 0 Thanks: 72 Thanked 124 Times in 86 Posts	Just because it is easy to "hack" doesn't mean it lacks security.
	Liked by

09/11/2009, 12:47 PM	#3 (permalink)
Eugefunk84 Member Join Date: Jul 2009 Posts: 59 Likes Received: 0 Thanks: 0 Thanked 8 Times in 4 Posts	actually, thats exactly what it means.... a script can easily execute everything you do to root your phone, and at that point, it can wreak havoc. it can delete apps, steal your contact info, and so on
	Liked by

09/11/2009, 12:50 PM	#4 (permalink)
T3CK Member Join Date: Jun 2009 Location: Montreal, Canada Posts: 423 Likes Received: 11 Thanks: 30 Thanked 38 Times in 25 Posts	Ya, that's what I'm worried about. __________________ Floren Munteanu why queued - My blog
	Liked by

09/11/2009, 12:55 PM	#5 (permalink)
alpinejag Member Join Date: Aug 2009 Posts: 121 Likes Received: 0 Thanks: 27 Thanked 12 Times in 10 Posts	The malware those sites try to sneak in is likely specific to Windows. Most exploit problems in specific browsers, generally IE. I guess if there is any malware around that exploits WebKit and Linux it could be possible to get it on the Pre.
	Liked by

09/11/2009, 12:58 PM	#6 (permalink)
Kasracer Member Join Date: Jul 2008 Posts: 889 Likes Received: 0 Thanks: 363 Thanked 76 Times in 47 Posts	Not possible. First off, those sites are 99.99% of the time using Windows vulnerabilities and / or Windows binaries. No way they could even run. Secondly, the Web Browser is sandboxed (just like everything else). You cannot connect to the Mojo framework from within a web page. Thirdly, even webOS applications are sandboxed. You can't just execute framework commands from them. You also cannot execute scripts to root your phone from them. Rooting takes place when your Firewall is partially disabled (i.e. developer mode) and you run a script via SSH on your phone. Stop being paranoid.
	Liked by Thanked by bjshedwick, cbulock, ChappyEight, darcside, davidminor03, DJeremyC, draven76, ekuns, jaytee, joe8617, jonnrb, Lito305, maxima2k53, Milominderbinder, rc46, Shiggitay, Slayix312, Sovvy, withinboredom, zzt53

09/11/2009, 01:02 PM	#7 (permalink)
squeff Member Join Date: May 2009 Posts: 588 Likes Received: 0 Thanks: 0 Thanked 74 Times in 54 Posts	If you are concerned about such things (and, at some level, aren't we all?), then do not install anything on your Pre. Most definitely not homebrew, but even stuff from the app catalog (how much do you REALLY trust Palm to confirm that there aren't hidden bombs?). Because, once you install something, it can do all sorts of nasty things, such as randomly call people in your phone book, spam those in your e-mail list, etc. And this is true for non-rooted devices, too. As long as you install things on your Pre, you run the risk. Now, what about visiting web sites? Can that do it? Maybe. I don't know enough about the browser to know if there are holes, but chances there are. If there is a hole, at some point, someone will exploit it. This, in fact, was the reason that Palm released that emergency OS release to fix the hole that allowed an ipk install via e-mail. And why, we hope, anything that's added to allow software downloads from the browser, are very limited.
	Liked by

09/11/2009, 01:02 PM	#8 (permalink)
Leathal Member Join Date: Aug 2009 Posts: 236 Likes Received: 0 Thanks: 42 Thanked 241 Times in 58 Posts	Your computer may be broadcasting an IP Address!
	Liked by

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode