Security researchers uncovered critical flaws in WebOS, including a cross-site scripting issue that could be used to gain remote control of devices and possibly build a botnet.
WebOS is the operating system used in Palm smartphones. The issues were uncovered by Orlando Barrera and Daniel Herrera of SecTheory, who discovered a total of three unique flaws-a floating-point overflow issue, a denial-of-service bug and the cross-site scripting vulnerability. The researchers are expected to present their findings later today at the Austin Hacker Association meeting in Texas.
According to Barrera, the vulnerabilities can be used by an attacker in a number of ways to threaten security.
In addition, the researchers were able to use XML HTTP Requests to access the local file system via “localhost.” Due to the access permissions associated to the Web user, the researchers were able to read the local database file, Barrera said.
“This allowed us to exfiltrate sensitive user data stored within the database to a remote server under our control,” he added. “This database includes contact information, usernames, password hashes, and unencrypted communications like SMS and e-mail.”
The specific cross-site scripting injection flaw used by the duo to demonstrate the attacks was fixed by Palm as of the WebOS 2.0 beta. However, WebOS 2.0 remains susceptible to the floating-point overflow and denial-of-service issues, Barrera said.
“Once we understood the design it was just a matter of identifying applications where user-supplied content is visually presented to the user, and ideally from a remote source,” Herrera said. “The ‘Sync’ feature of the default ‘Contacts’ application had both desired attributes, allowing us to create and demonstrate the impact of these types of injection attacks against the WebOS platform.”
The researchers conducted their work on WebOS Version 1.4.x and the WebOS 2.0 beta platforms developed by Palm. This is not the first time the security community has poked around on Palm devices. Earlier this year, for example, the Intrepidus Group detailed a vulnerability impacting WebOS’ SMS client.