Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Mobile
    • Servers

    Researchers Find Security Flaws in Palm Smartphone WebOS

    By
    Brian Prince
    -
    November 24, 2010
    Share
    Facebook
    Twitter
    Linkedin

      Security researchers uncovered critical flaws in WebOS, including a cross-site scripting issue that could be used to gain remote control of devices and possibly build a botnet.

      WebOS is the operating system used in Palm smartphones. The issues were uncovered by Orlando Barrera and Daniel Herrera of SecTheory, who discovered a total of three unique flaws-a floating-point overflow issue, a denial-of-service bug and the cross-site scripting vulnerability. The researchers are expected to present their findings later today at the Austin Hacker Association meeting in Texas.

      According to Barrera, the vulnerabilities can be used by an attacker in a number of ways to threaten security.

      “For example, utilizing the cross-site scripting issue we are able to conduct the following attacks: remote command and control. By using JavaScript to dynamically modify the user experience, an attacker is able to control aspects of the device over time,” he said. “This in essence is the foundation of a botnet, [and] with time and effort I believe it is feasible for an attacker to complete a functional command and control program for this device.”

      In addition, the researchers were able to use XML HTTP Requests to access the local file system via “localhost.” Due to the access permissions associated to the Web user, the researchers were able to read the local database file, Barrera said.

      “This allowed us to exfiltrate sensitive user data stored within the database to a remote server under our control,” he added. “This database includes contact information, usernames, password hashes, and unencrypted communications like SMS and e-mail.”

      The specific cross-site scripting injection flaw used by the duo to demonstrate the attacks was fixed by Palm as of the WebOS 2.0 beta. However, WebOS 2.0 remains susceptible to the floating-point overflow and denial-of-service issues, Barrera said.

      “Once we understood the design it was just a matter of identifying applications where user-supplied content is visually presented to the user, and ideally from a remote source,” Herrera said. “The ‘Sync’ feature of the default ‘Contacts’ application had both desired attributes, allowing us to create and demonstrate the impact of these types of injection attacks against the WebOS platform.”

      The researchers conducted their work on WebOS Version 1.4.x and the WebOS 2.0 beta platforms developed by Palm. This is not the first time the security community has poked around on Palm devices. Earlier this year, for example, the Intrepidus Group detailed a vulnerability impacting WebOS’ SMS client.

      “The user experience in WebOS is constructed similar to a Web application: Markup rendering (HTML/CSS) is used for the visual elements, JavaScript is used for dynamic updating/modification, and system commands are communicated via HTTP locally,” Herrera added. “This design leaves the WebOS susceptible to attacks similar to cross-site scripting. If user-supplied content is not properly sanitized prior to it being included within the user interface, conditions are created where this content can execute commands against the system and modify the user experience.”

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×