Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/23/2010
04:52 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.

Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the Austin Hackers Association meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet.

"This is a simple attack process with severe impact to end users. In the condition of remote command and control, this could [be] used in many of the same ways as a botnet: submitting spam, clickjacking, ad revenue," Barrera says. The researchers tested exploits on Palm Pre running WebOS version 1.4.X.

Meanwhile, HP has fixed the "Contacts" application issue as of the WebOS 2.0 beta, but the researchers have found a mix of other bugs, including ones of the floating-point overflow, denial-of-service, and cross-site scripting variety, in the new beta version of the smartphone platform.

Some inherent design elements of WebOS leave it prone to XSS and other attacks, they say. "Any mobile computing device with Internet connectivity running WebOS with its current feature set would be vulnerable," Herrera says.

WebOS is less secure than other smartphones mainly because the intent of the environment was to simplify application development, he says. "The WebOS platform cuts out the middleman; the delivery mechanism is the device compromised since the local system commands can be leveraged by Web technologies like JavaScript," Herrera says. "This is not to say that other mobile operating systems are devoid of flaws. It just means that [Palm's] intent of creating an environment to ease application development also resulted in easing the development of exploitation."

The researchers found that the "Company" field in the Contacts app window was "unsanitized," so they were able to inject code that ultimately grabbed the Palm's database file with emails, email addresses, contact list, and other information. In a second attack, they inserted a JavaScript hook to use keyloggers and other tools. That could then be used by bad guys to build a mobile botnet, for instance.

"By not properly sanitizing user-supplied content prior to it being included within the user interface, conditions are created where user-supplied content can execute commands against the system and modify the user experience," Herrera says. "Developers should keep in mind that data from third-party sources can be dangerous, whether it's from a company or an anonymous user. Measures should be put in place to validate and modify any form of malicious content to prevent local exploitation."

To date, most real-world attacks on smartphones have been relatively benign, but security experts such as Herrera and Barrera predict that all will soon change as these devices get smarter and become more of a work tool for mobile users.

"We believe there is more work to be done in the mobile sector with regard to security. We hope that our work helps end users understand the risks related to using mobile devices for day-to-day activities and communication," Barrera says.

This isn't the first time Palm Pre smartphones have been hacked by researchers. A proof-of-concept attack exploiting an email flaw was released last year, and an SMS injection flaw was demonstrated earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.