A security researcher has released a
cross-site scripting proof-of-concept illustrating some flaws in the webOS
tablet operating system.
Security researcher Orlando Barrera
published a proof-of-concept showing how attackers could inject code into the
Contacts application on a webOS 3.0 device, Dark Reading reported July 5. He also
demonstrated the cross-site-scripting exploit at an Austin
Hackers Association meeting in Texas on June 30.
Barrera and fellow researcher Daniel Herrera had reported their findings back
in November that the "company" field in the Contacts app was
"unsanitized," letting them inject code that ultimately allowed them
to grab the database file with emails, email addresses, contacts and other
information off the device. The latest exploit from Barrera was related to the
earlier discovery.
"This [new flaw] is a similar
vector," Barrera told Dark Reading.
The lack of input sanitization in some
of the fields in the Contacts app renders it vulnerable to malicious code
injection and remote code execution, according to the files from the AHA meeting. This means it would
exist in both the newly launched HP TouchPad and webOS smartphones.
If there is any malicious HTML or
JavaScript code injected into the contact file being imported into the Contacts
application, the arbitrary code is executed, according to Barrera's
presentation. "This can be abused by an attacker to perform a cross-site
scripting attack on the device," he said, noting that the attacker does
not need authentication to exploit this XSS vulnerability.
In the proof-of-concept, Barrera
demonstrated how he injected the JavaScript code into the contact information
within the professional networking site LinkedIn to execute the malicious
JavaScript file. To prove how easy it is to use a cross-site scripting attack
on webOS, Barrera tried it out on an HP TouchPad in a local Best Buy, according
to a YouTube video he made. He successfully used the
exploit on Facebook, LinkedIn and other apps, which are not
"sanitized" to correctly handle code in text fields in webOS, he said
on the video.
"The only reason it hasn't been
exploited before is market share, but now that HP is trying to get into the PC
tablet market, it has a potentially larger market share and becomes more of a
target," Barrera said.
WebOS is also vulnerable to cross-site
request forgeries, according to Barrera, but he didn't publicize those exploits
because he didn't want to give clues to malicious attackers on how to attack
the platform through methods such as compromising a PDF reader performing a
buffer overflow attack.
HP has known about some of the issues
raised by Herrera and Barrera since they were raised a few months ago. Barrera
told Dark Reading he found the latest issues in webOS 3.0 within 30 minutes of
having access to the software development kit. Even though he informed HP via
ZDI, the company's security research arm, the company allegedly denied there
was an issue, prompting Barrera to publicize the proof-of-concept and his
findings. He said he wanted to give consumers the information to make an
informed decision based on the potential risks.
"HP takes webOS security very
seriously. We have identified the issue and it will be addressed in the next
over-the-air update. In the interim, we suggest users be cautious accepting
contact records from unknown sources," an HP spokesperson told eWEEK.
HP controls the software and can update
the platform via over-the-air-updates, giving it an advantage over mobile platforms
that depend on carriers to push out the latest software updates.
Enterprise Mobility News & Reviews 
