Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/23/2010
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.

Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the Austin Hackers Association meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet.

"This is a simple attack process with severe impact to end users. In the condition of remote command and control, this could [be] used in many of the same ways as a botnet: submitting spam, clickjacking, ad revenue," Barrera says. The researchers tested exploits on Palm Pre running WebOS version 1.4.X.

Meanwhile, HP has fixed the "Contacts" application issue as of the WebOS 2.0 beta, but the researchers have found a mix of other bugs, including ones of the floating-point overflow, denial-of-service, and cross-site scripting variety, in the new beta version of the smartphone platform.

Some inherent design elements of WebOS leave it prone to XSS and other attacks, they say. "Any mobile computing device with Internet connectivity running WebOS with its current feature set would be vulnerable," Herrera says.

WebOS is less secure than other smartphones mainly because the intent of the environment was to simplify application development, he says. "The WebOS platform cuts out the middleman; the delivery mechanism is the device compromised since the local system commands can be leveraged by Web technologies like JavaScript," Herrera says. "This is not to say that other mobile operating systems are devoid of flaws. It just means that [Palm's] intent of creating an environment to ease application development also resulted in easing the development of exploitation."

The researchers found that the "Company" field in the Contacts app window was "unsanitized," so they were able to inject code that ultimately grabbed the Palm's database file with emails, email addresses, contact list, and other information. In a second attack, they inserted a JavaScript hook to use keyloggers and other tools. That could then be used by bad guys to build a mobile botnet, for instance.

"By not properly sanitizing user-supplied content prior to it being included within the user interface, conditions are created where user-supplied content can execute commands against the system and modify the user experience," Herrera says. "Developers should keep in mind that data from third-party sources can be dangerous, whether it's from a company or an anonymous user. Measures should be put in place to validate and modify any form of malicious content to prevent local exploitation."

To date, most real-world attacks on smartphones have been relatively benign, but security experts such as Herrera and Barrera predict that all will soon change as these devices get smarter and become more of a work tool for mobile users.

"We believe there is more work to be done in the mobile sector with regard to security. We hope that our work helps end users understand the risks related to using mobile devices for day-to-day activities and communication," Barrera says.

This isn't the first time Palm Pre smartphones have been hacked by researchers. A proof-of-concept attack exploiting an email flaw was released last year, and an SMS injection flaw was demonstrated earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.