A security researcher has released a cross-site scripting proof-of-concept illustrating some flaws in the webOS tablet operating system.
Security researcher Orlando Barrera published a proof-of-concept showing how attackers could inject code into the Contacts application on a webOS 3.0 device, Dark Reading reported July 5. He also demonstrated the cross-site-scripting exploit at an Austin Hackers Association meeting in Texas on June 30.
Barrera and fellow researcher Daniel Herrera had reported their findings back in November that the “company” field in the Contacts app was “unsanitized,” letting them inject code that ultimately allowed them to grab the database file with emails, email addresses, contacts and other information off the device. The latest exploit from Barrera was related to the earlier discovery.
“This [new flaw] is a similar vector,” Barrera told Dark Reading.
The lack of input sanitization in some of the fields in the Contacts app renders it vulnerable to malicious code injection and remote code execution, according to the files from the AHA meeting. This means it would exist in both the newly launched HP TouchPad and webOS smartphones.
“The only reason it hasn’t been exploited before is market share, but now that HP is trying to get into the PC tablet market, it has a potentially larger market share and becomes more of a target,” Barrera said.
WebOS is also vulnerable to cross-site request forgeries, according to Barrera, but he didn’t publicize those exploits because he didn’t want to give clues to malicious attackers on how to attack the platform through methods such as compromising a PDF reader performing a buffer overflow attack.
HP has known about some of the issues raised by Herrera and Barrera since they were raised a few months ago. Barrera told Dark Reading he found the latest issues in webOS 3.0 within 30 minutes of having access to the software development kit. Even though he informed HP via ZDI, the company’s security research arm, the company allegedly denied there was an issue, prompting Barrera to publicize the proof-of-concept and his findings. He said he wanted to give consumers the information to make an informed decision based on the potential risks.
“HP takes webOS security very seriously. We have identified the issue and it will be addressed in the next over-the-air update. In the interim, we suggest users be cautious accepting contact records from unknown sources,” an HP spokesperson told eWEEK.
HP controls the software and can update the platform via over-the-air-updates, giving it an advantage over mobile platforms that depend on carriers to push out the latest software updates.