Page 1 of 2 12 LastLast
Results 1 to 20 of 37
  1.    #1  
    Hey all, As a security network professional I just came across a link for a newly announced vulnerability in Webos. I have included the link below. Hopefully palm/hp takes security seriously and gets this patched up quickly since this info will be exposed to the scene tomorrow.

    http://www.darkreading.com/vulnerabi...artphones.html
    Last edited by HelloNNNewman; 11/25/2010 at 04:29 PM. Reason: updated title
  2. #2  
    "The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet."

    Wow...
  3. #3  
    Weird that they are just posting this information now... this was an article a few months ago.
  4. #4  
    REpost?????/
  5. #5  
    Dunno...the found some issues with 1.4.x in April, but were fixed right away. Here's the previous thread:

    http://forums.precentral.net/general...abilities.html
  6. dsei's Avatar
    Posts
    194 Posts
    Global Posts
    196 Global Posts
    #6  
    webosinternals patch request?

    We all know how quickly the carriers approve Palm's updates so I suspect this one may be hanging around for awhile.

    Palm really needs to build more security into the core framework. C'mon, lack of input validation? That's web dev security rule number one..
  7. bdog421's Avatar
    Posts
    513 Posts
    Global Posts
    575 Global Posts
    #7  
    How would this "injection flaw" be implemented, would it have to be built into an application or could it be done from the outside?

    I don't know about everyone else, but I always felt fairly secure using my pre for online banking, online purchases, donations through paypal and managing sensitive info online. Never had any issues with anything. So far with my epic, I feel less secure than when I was using my pre, but I've always felt insecure about google handling my security. I guess it's not a bad thing to feel insecure about security..... ehh?
  8. #8  
    I've tried injecting stuff into the contacts app, and it's doesn't work, the email app still has an injection issue with iframes, but the contacts app seems secure.
  9. migs's Avatar
    Posts
    875 Posts
    Global Posts
    987 Global Posts
    #9  
    Researchers Find Security Flaws in Palm Smartphone webOS - Security - News & Reviews

    Great, this is not what we needed! Hope HP/Palm gets on this quick



    Security researchers uncovered critical flaws in webOS, including a cross-site scripting issue that could be used to gain remote control of devices and possibly build a botnet.

    WebOS is the operating system used in Palm smartphones. The issues were uncovered by Orlando Barrera and Daniel Herrera of SecTheory, who discovered a total of three unique flaws - a floating-point overflow issue, a denial of service bug and the cross-site scripting vulnerability. The researchers are expected to present their findings later today at the Austin Hacker Association meeting in Texas.

    According to Barrera, the vulnerabilities can be used by an attacker in a number of ways to threaten security.

    “For example utilizing the cross-site scripting issue we are able to conduct the following attacks: remote command and control, by using JavaScript to dynamically modify the user experience an attacker is able to control aspects of the device over time,” he said. “This in essence is the foundation of a botnet, (and) with time and effort I believe it is feasible for an attacker to complete a functional command and control program for this device.”

    In addition, the researchers were able to use XML HTTP Requests to access the local file system via “localhost.” Due to the access permissions associated to the web user, the researchers were able to read the local database file, Barrera said.

    “This allowed us to exfiltrate sensitive user data stored within the database to a remote server under our control,” he added. “This database includes contact information, usernames, password hashes, and unencrypted communications like SMS and email.”

    The specific cross-site scripting injection flaw used by the duo to demonstrate the attacks was fixed by Palm as of the webOS 2.0 beta. However, webOS 2.0 remains susceptible to the floating-point overflow and denial of service issues, Barrera said.

    “Once we understood the design it was just a matter of identifying applications where: user-supplied content is visually presented to the user, and ideally from a remote source,” Herrera said. “The ‘Sync’ feature of the default "Contacts" application had both desired attributes allowing us to create and demonstrate the impact of these types of injection attacks against the WebOS platform.”

    The researchers conducted their work on webOS version 1.4.x and the webOS 2.0 beta platforms developed by Palm. This is not the first time the security community has poked around on Palm devices. Earlier this year for example, the Intrepidus Group detailed a vulnerability impacting webOS’ SMS client.

    “The user experience in webOS is constructed similar to a Web application: mark-up rendering (HTML/CSS) is used for the visual elements, JavaScript is used for dynamic updating/modification, and system commands are communicated via HTTP locally,” Herrera added. “This design leaves the webOS susceptible to attacks similar to Cross-site Scripting. If user-supplied content is not properly sanitized prior to it being included within the user interface, conditions are created where this content can execute commands against the system and modify the user experience.”
  10. #10  
    Quote Originally Posted by HelloNNNewman View Post
    Dunno...the found some issues with 1.4.x in April, but were fixed right away. Here's the previous thread:

    http://forums.precentral.net/general...abilities.html
    I was thinking the same thing. The article in the OP only mentions 1.4.x and the 2.0 beta which would have to be the Early Acess SDK release. So is this new or just a poorly timed re-run?

    This was what caused Good to put the brakes on their enterprise mail client for WebOS and the reason I finally put my wife in an EVO so she could access her work email and calendar properly.

    I even tried using Classic and the old Palm OS Good messaging client but no dice.
    Clicking the Thanks button is a great way to say... well THANKS
    Phone Apps: Church Search, Tap for HELP
    TouchPad Apps: Tap for HELP! HD, webOS Meetups
  11. #11  
    It would be nice to see Palm respond to this kind of stuff aggressively. Nobody expects there to be zero security holes. But we all expect them to respond to them when they are found and plug them up.
    Palm III-->Handspring Visor-->Sony Clie PEG-NR70-->no PDA -->Palm Treo 755p-->Palm Pre-->HP Veer
  12. #12  
    Quote Originally Posted by jbg7474 View Post
    It would be nice to see Palm respond to this kind of stuff aggressively. Nobody expects there to be zero security holes. But we all expect them to respond to them when they are found and plug them up.
    Perhaps one of our better known Devs should ask this question in the Dev. forums?
    Clicking the Thanks button is a great way to say... well THANKS
    Phone Apps: Church Search, Tap for HELP
    TouchPad Apps: Tap for HELP! HD, webOS Meetups
  13. anifan's Avatar
    Posts
    187 Posts
    Global Posts
    188 Global Posts
    #13  
    Perhaps they should have contacted HP quietly and not told the entire hacker underworld?
  14. #14  
    Quote Originally Posted by anifan View Post
    Perhaps they should have contacted HP quietly and not told the entire hacker underworld?
    Protocol is generally to tell the vendor, give them some time to fix it, then explain the exploit or vulnerability to everyone else. I'm guessing they've probably told HP about it and a patch is probably imminent.
  15. #15  
    Quote Originally Posted by nappy View Post
    Protocol is generally to tell the vendor, give them some time to fix it, then explain the exploit or vulnerability to everyone else. I'm guessing they've probably told HP about it and a patch is probably imminent.
    I doubt they care about the protocol considering they would have broken their contract by mentioning that the vulnerability exists in the webOS 2.0 beta (which is NDA and anything discovered within -- such as a vulnerability -- is confidential). They don't care about contracts, so why would they care about protocol.
    Arthur Thornton

    Former webOS DevRel Engineer at Palm, HP, and LG
    Former webOS app developer (built Voice Memos, Sparrow, and several homebrew apps and patches)
    Former blogger for webOS Nation and webOS Roundup
  16. #16  
    They're probably not under NDA. webOS 2.0 isn't hard to get your hands on, especially if you're in the security research field.
  17. #17  
    Quote Originally Posted by nappy View Post
    They're probably not under NDA. webOS 2.0 isn't hard to get your hands on, especially if you're in the security research field.
    Actually they do care, they are still requiring an NDA for access to the 2.0 Beta SDK (as recent as a couple of days ago). I realize 2.0 is in the wild today but the NDA is still in effect.

    My biggest concern is that the vulnerabilities were actually identified much earlier this year and this article makes it sound as though they are brand new. If I remember correctly, the vulnerabilities were not spelled out last time. So I would assume that they have already been dealt with.

    That would of course be following the pattern suggested in a previous post. Find the flaw, report the flaw quietly to the company, tell the community you found a flaw without giving the details and once the company has had time to fix it and does, then go public so you can look smart and get the credit you deserve for finding the flaw.
    Clicking the Thanks button is a great way to say... well THANKS
    Phone Apps: Church Search, Tap for HELP
    TouchPad Apps: Tap for HELP! HD, webOS Meetups
  18. #18  
    Quote Originally Posted by nappy View Post
    They're probably not under NDA. webOS 2.0 isn't hard to get your hands on, especially if you're in the security research field.
    They specifically said "webOS 2.0 beta SDK" which means NDA. Either that or they illegally downloaded the SDK because they aren't permitted to use that. Either way, they're breaking something (be it the law or a contract).
    Arthur Thornton

    Former webOS DevRel Engineer at Palm, HP, and LG
    Former webOS app developer (built Voice Memos, Sparrow, and several homebrew apps and patches)
    Former blogger for webOS Nation and webOS Roundup
  19. #19  
    Quote Originally Posted by arthurthornton View Post
    They specifically said "webOS 2.0 beta SDK" which means NDA. Either that or they illegally downloaded the SDK because they aren't permitted to use that. Either way, they're breaking something (be it the law or a contract).
    I'm guessing it's the latter.

    Either way, a couple of white hats finding and reporting vulnerabilities is a good thing. Especially when you consider the alternative.
  20. #20  
    Quote Originally Posted by nappy View Post
    I'm guessing it's the latter.

    Either way, a couple of white hats finding and reporting vulnerabilities is a good thing. Especially when you consider the alternative.
    Yeah, it is a good thing... If they report it to HP Palm and wait to release info.

    -- Sent from my Palm Pre using Forums Beta
    Arthur Thornton

    Former webOS DevRel Engineer at Palm, HP, and LG
    Former webOS app developer (built Voice Memos, Sparrow, and several homebrew apps and patches)
    Former blogger for webOS Nation and webOS Roundup
Page 1 of 2 12 LastLast

Posting Permissions