Security exploit uncovered in webOS 1.4.X, fixed in 2.0 99
Fri, 26 Nov 2010 11:03 am EST 
Two researchers with SecTheory have announced that they have uncovered flaws in older versions of webOS that would allow for remote command and control of the devices. These exploits were discovered in webOS 1.4.X (1.4.0 through 1.4.5), but some have since been patched in webOS 2.0.
Due to webOS’ web-tech base, it will always be possible to hack the operating system using techniques similar to those used to exploit websites, though taking into consideration the fact that our phones generally contain far more personal information than any single website, it can be slightly worrying. Of course, the other side of the coin tells us that webOS wouldn’t be webOS without these web technologies. With every mobile platform there are trade-offs. Easy of programming and accessibility leads to a more easily exploited operating system.
According to the researchers, the Company field in the 1.4.X Contacts app is “unsantized,” allowing them to inject code that allowed them to pull other information from the Contacts database. Additionally, they were able to insert a JavaScript hook that enabled the use of tools such as keyloggers, possibly leading to botnets and the like.
There are at least two unmentioned caveats to this exploit: first the code isn’t executed until the user views it (it sits there until the contact containing the malicious code is opened and viewed), and the code still has to get on the device somehow. We can think of a few ways to get the code into a contacts field of your device. Insert it through a web-based contacts application (e.g. Google Contacts or their Exchange database, but then you still have to crack the user’s password) is the only remote manner we can fathom. Everything else requires either interaction with the user (accepting a transmitted vCard contact through email or other means) or physical access to the device. And if somebody else has access to your phone, you’re pretty much screwed anyway.
Overall, like every other security exploit revealed to date about webOS, we’re not too concerned. There are all sorts of ways to exploit webOS, some of which are essential to fun stuff like homebrew. That said, we’re not super huge fans of malicious exploits, and we’re glad to see that Palm has fixed this particular problem with the release of webOS 2.0. Now if only those of us that don’t have Pre 2 phones could download the new OS...
Source: Darkreading; Via: Engadget; Thanks to everybody that sent this in.
99 Comments
Fixed in 2.0... And how many US users have that?
Luckiy, it requires 'interaction'... ?
Yeah. Though i am not exactly on pins and needles waiting for 2.0. but I am amazingly tired of hearing about 2.0 as if everyone has it.
awesome.
Don't worry, it'll be fixed "in the coming months"...
This is getting silly. Now it's up to 2.0.1. I don't believe the "Palm can quickly iron out webOS for when it's released here without the carriers being involved" bit. Everytime the version gets bumped, the carriers have to start the validation process from the beginning again adding even more time!
Just send it out, and patch it behind the scenes. No need for full blown updates.
"coming months" Yea, I have a better chance of eating a pair of steel-toed boots faster.
M.
That just may be HP/Palm's plan. Think about it. In the process of eating that steel toe boot, you'd loose your teeth and the poison in the materials would have you on your knees. Wouldn't you then be looking just like those fanboys who will applaud this as HP being here for the consumer? Palm has resorted to prison and Republican tactics to keep their base.
Sounds more like Democrat tactics to me.
Or both, since they're all worthless.
How did this HPalm nonsense become about Politics? As for this lil insecurity exploit being "slightly worrisome", the 30 or less WebOS users who are left aren't in any danger of being hacked because no one cares. The hackers are going after more popular platforms like Android and the iPhone. LOL!!!
Wait a minute. Was it "in the coming months" or "in the coming years?" Either way, it's a meaningless statement, one most likely similar to Palm's promise of Adobe Flash that is long, long, overdue.
Did you not see that Flash is included in webOS 2.0? Speaking as a Pre 2 user, it's definitely there.
I'll acknowledge that it would have been good for Flash to have been out faster. Still, Palm's done its part re Flash (and also, I'd say, on at least some of these security fixes), other than perhaps some nudging of the carriers to release 2.0.
Yeah dude, Flash is here already. Maybeif you got your head out of you ass you would have noticed.
I have a palm pre plus, where can I get it rsanchez?
Get a Pre2 of course.
that's not possible for a lot of people and i don't think many people are buying that phone anyways.
It's only $229 and it's off-contract to boot.
I'm not above donations. Do you want my paypal address so you can send me the money?
M.
yeah i'll take it too. I won't be going to a Pre 2 though.
Well personally i have no interest in the Pre 2 at any price more then "free off contract", so i'm not speaking for myself. Not to mention that's more then i paid for my original pre. But if i did want it i'm on sprint and they aren't getting it. But i have a contract and i surely wouldn't pay the off contract premium for that phone. That's just me. But from what i see and read that's most consumers. time will tell but i've even heard that point of view from the precentral podcasts hosts so it's not an uncommon sentiment. Also as far as i know it's not available in the United States so all this Pre 2 talk would be meaningless to me. And i think that's the point. the commenter can't get a pre 2 and he probably signed his original contract based partly on Palm's assertion that flash would be coming soon. Thus "Get a pre 2" isn't a solution.
Where can I get one at that price & can I run 2.0 on Sprint? (Not that I would, just curious)
Could you be more of an apologist?
Could you be more of a troll?
probably but I don't need to try very hard with the facts on my side. Flash was promised to come to WebOS at the beginning of last year, it still doesn't look like it's going to happen by the end of December. I can buy a Palm Pre 2 and get it but it just clearly shows they optimized WebOS 2 for the Palm Pre 2 instead of first supporting existing customers. Then they release the Pre 2 and offer a discounted unlocked version, which is of no use to CDMA users, you know, they bulk of their customers... it's a sad joke.
Call them facts if you want but it's just trolling to me.
Does the concept of a facts elude you? Facts ARE, they aren't debatable, that's what makes them facts.
No, the facts that rsanchez doesn't like = trolling.
Which, I guess, means the world has been trolling rsanchez pretty hard for the past year considering how hard webOS bombed.
The FACTS are these.
-Palm does not make flash, Adobe makes flash.
-Palm told us we'd have Flash 'soon' ages ago... Based on what Adobe told them. Shame on Palm for being dumb enough to listen to Adobe.
-WebOS has been Flash-ready for almost a year.
-Adobe took their sweet-ass time releasing Flash to mobile OS developers.
-WebOS 2.0 contains flash and has been released to carriers.
Palm shouldn't have touted a product they had no control over before it was done. That was certainly their mistake. But Flash taking as long as it did is on ADOBE's shoulders, not HPalm and the current wait on 2.0 is on the carriers' shoulders.
You are extremely wrong about one thing: It's not called HPalm. It never was called that. Ever.
I also must add: Shame on people for being so stupid that they didn't realize that Flash is a proprietary technology of Adobe's and that how long it would take to release wasn't really Palm's call at all. Palm more or less rolled out the statement, foolishly in hindsight, because people who didn't understand this demanded it.
Also, I have to add that Adobe made a very cute video right after the Pre was released showing them using Flash on webOS. Then suddenly, out of right field, they put the whole project on hold so they could do it for Android because Android suddenly gained multitasking capabilities. Then when that was all squared away and deployed to Android users, they took their time and brought the webOS version back off the shelf...mainly around the time that HP acquired Palm. After all, they wouldn't want HP to start shipping PCs with Flash blocker extensions now, would they?
Actually Adobe released flash to ALL PARTNERS 5 months ago. So you can blame them for it not being available before then but not since then. Palm claimed that once Flash became available it would be a simple download from the app catalog. Now, that has been changed to needing webOS 2.x.
you're analysis is useless for the bulk of people here. They just want you to bury your head in the sand and tell them everything is great cause many think if you just say something is satisfactory that makes it so. What they should be doing is wondering why so much of the market finds the product unsatisfactory and adjust.
You may be overlooking the fact that upgrading the existing customers to webOS 2.0 does not generate any cash. Selling the Pre 2 to NEW customers does. Financially, there is less reason to rush to upgrade the existing (albeit loyal) customers.
>Yeah dude, Flash is here already.
It is? That's not what Adobe says.
http://get.adobe.com/flash
M.
I have been getting this urge of buying a new phone lately, I do not think webOS will be my next phone but I hope I am wrong.
I wouldn't want to throw all my apps away on a whim just because I'd have to wait 2 more months for a new phone. But maybe that's just me. A smartphone is basically a computer. If you don't like the interface of the operating system you're working with, or you can't port your apps directly across, it's really painful to make that jump. Smartphone users need to get that through their heads. You're going to be happier with the OS that works best for you than just having shiny new hardware.
My Sprint Pre has held up pretty well for a year and a half, and I'm betting it holds up well for another 6 months or so until Sprint is satisfied that Palm is rolling out their 4G version. After all, that is the main reason why Sprint won't carry the Pre 2. They're all about 4G now. Why launch a new phone that doesn't run on your next generation network like your other phones do? That would make no sense at all.
I love this site. Nothing makes me want to leave my Palm Pre in the trash more than reading the comments here. Pretty soon HP/Palm won't have any userbase left and then they won't have to worry about patching security exploits.
please feel free to mail me your palm and accessories when you decide to jump ship... ;>)
i'm also not above donations...
i'm in love w/my palm pre plus on at&t
gilcarvr
So why can we not get together as a group/class action and force Sprint and other carriers to update us to 2.0 asap, to prevent security hacks to our personal info. Its not like we have a choice since we are mostly under a contract.
Or
Carriers should let us out of our contracts due to a default on thier part, for not maintaining security?
Any legal types on this forum that can help?> I personally do not want my info out there for anyone to hack due to a problelm with the OS of my phone, under the control of the carrier?
tks....
Dude, we can't even get together to agree or disagree in a calm and sane manner on how HP shows love to it's biggest installed base of users by releasing WebOS 2.0 on the Pre 2 (a spec bumped Pre Plus +), delaying release of Web OS2.0 for it's existing installed base, and that Flash was not delivered as Palm indicated it would be. Half the group is justifiably not feeling it and the other half are fan boys who want us to just shut up and take it until a new phone is release and/or Web OS 2.0 is released to the installed base "in the coming months".
Trying to ignore the haters and US-centric, I have a on topic question. Can't the exploit get in via facebook/linked-info? Controlled by someone else? That would be the scary attack vector I would think.
Yes, that would be.
article says there are still problems with 2.0, but, as I think Arthur said in the forums, they couldn't release that info without either violating NDA or by having illegally downloaded the SDK...
http://www.shopping.hp.com/webapp/shopping/product_detail.do?product_cod...
Palm Pre 2 unlocked
with the features of the new HP webOS 2.0
Before making BLIND statements, please read the source article. The source article says "webOS 2.0 beta" which means the BETA SDK which is under NDA.
Was that at me? 'Cause I'm pretty sure that's what I said. I was just trying to spread your (in my opinion) noteworthy/useful information and give you credit. Did I say something wrong?
edit: Oh. Wait. Other guy's blind. I get it. What also needs t be taken into consideration is that things like this take time to find. Whoever discovered this has prolly been sifting code for awhile and for that to be the case it would have pretty much had to be the beta SDK, since the Pre2/-SFR doctor haven't been around too long.
So Arthur... Lawsuit in the future ya think? I mean.. How can these people publish?
I'm not sure HP and Palm will sue, because they don't want it to look like they're hiding stuff.
However, if they release the information before Palm patches it, I am certain HP and Palm will sue them for violating the NDA (among other things) or piracy (if they illegally downloaded the beta).
Makes sense. I could say more on the matter, but mostly I wish there was a "thanks" button here I could click.
Unbelievable! Just like politics. Everyone reads one line and comes to a conclusion over that one line instead of reading the complete study. Anything connected to the internet has a security challenge, webOS, iOS, Windows 7 along with (as everyone knows) your home PC. You must understand that as phones become more and more connected there will be more and more security issues, this is inevitable. Everyone wants their mobile devise to be connected with information readily available at their finger tips along with Flash and HTML 5 for the web browser but you forget the fact regarding security issues that comes with having this accessibility. Developers are always trying to stay one step ahead of the game. It is disheartening that people are swayed one way or another instead of looking at the complete picture.
The comment by Depadilla on a
These are the same idiots who post on their facebook wall how bad facebook's privacy policy is.
And, do we even know that the webOS 2.0 release "delay" is H/Palm's choice and not the carriers'?
2.0 or we go
2.0 or we go
2.0 or we go
If sprint says they want our phones to be safe, release the update!. If you assholes want to say "coming months" why tell us in the first place??!!! "coming months" could be tomorrow or 2099. Make up your damn minds, stop gettin drunk, and start using your heads before I come in and fix them with a baseball bat.
They can't release 2.0 because Palm hasn't submitted it yet.
I'd rather it be fully verified to work, instead of having to doctor my phone back a version because it doesn't work or exposes my private information to people who then take that information and rip me off. Or have a brand spanking new OS that breaks a bunch of stuff I've already got installed.
Palm just got restructured after an acquisition. People left and new people came on board. That's why there's a delay, people are having to pick up where others left off.
I write software for a living, and if you don't do that, then you don't understand. It takes a long time to minimize the impact of rolling out a new version of software. It takes even longer to break down and get a good solid grasp of where the code is and where it needs to go to get from point a to point b. It's not as easy as hitting people with baseball bats.
If you really want to make a difference, go to school and learn to program, then apply for a job at HP. They generally require you to have a degree first, so make sure you get that...unless you do some amazingly good work in the Palm dev community first. That's another way to do it.
article says there are still problems with 2.0, but, as I think Arthur said in the forums, they couldn't release that info without either violating NDA or by having illegally downloaded the SDK...
Security firms do that kind of crap all the time. It's why I hate working with them. They're notoriously bad for leaking what should be private research.
I've worked for major companies that hired penetration testers and security firms in the past. We would pay them a lot of cash to get a security analysis...and we would get a nice report back. But a lot of these firms have this attitude that they think they can just conveniently "leak" those reports out and that it will get them some publicity so they can get hired to do other jobs. The worst I've seen were the group that did analysis on webOS 1.0. They released a bug report to Palm, and Palm fixed those bugs...but apparently Palm didn't fix them fast enough for the security analysis firm to prevent them from releasing a video of them hacking an old version of the platform and mocking it as they went without even mentioning that Palm had already fixed those bugs.
That said, if these guys did the work via NDA, they definitely violated it (if it was a standard NDA) by releasing the report publicly before Palm could fix the bugs. If they illegally obtained the SDK, they deserve to be sued all over the place for that crap and Palm would be practically saints if they didn't. You know Apple or Google would sue the heck out of them for pulling that sort of stunt. I bet HP would sue them.
Gah! First time I've fallen victim to the back in browser double post! Sorry all. As a P.S... In case it wasn't obvious, I think the fact that the original article says there are still known issues w/ 2.0 is pretty much a necedsary inclusion in THIS article, rather than simply saying "fixed in 2.0" in the title.
Probably the malicious code could be injected via a vcard sent to your victim. Here's hoping palm accelerates the deployment of webos 2.x Now, let's see about an exploit..
Derek: why are you not concerned? I mean, yeah, lots of smartphones have vulnerabilities, but these vulnerabilities can be just as significant as arbitrary code execution on your windows or linux PC and should be taken just as seriously. The frequency with which security issues are dismissed on p|c as "no big deal" is surprising.
Incidentally a lot of stuff may be fixed in 2.0 by accident because a lot has been rewritten completely.
I wouldn't know about Derek, but I wouldn't be as concerned as if the vulnerability were one that could be easily exploited remotely. Since it basically would require a password hack or server admin access to deploy the exploit, it's not easy to pull off in the least.
The sort of exploit I'd be concerned about would be one that would automatically infect a device via hitting a link in an email or sending your passwords via plain text over your internet connection. That's not the case here, since getting a malformed contact into the system is the really tricky part.
As a security researcher myself I take issue with some of the blanket statements made though. Yeah, the flaws exist and should be fixed and there are probably lots more, but just using web technologies doesn't guarantee vulnerable apps, just like the web isn't guaranteed to be vulnerable just because it's easy to use web technologies insecurely.
Some inherent design elements of WebOS leave it prone to XSS and other attacks, they say. "Any mobile computing device with Internet connectivity running WebOS with its current feature set would be vulnerable," Herrera says.
Isn't this a bit like saying "any web application with a modern
feature set would be vulnerable?" Yeah, using web technologies in a smartphone (especially with no concept of same-origin-policy for local apps) makes web-type-attacks work. XSS is still the fault of the developer who wrote the vulnerable app though, not the platform for allowing HTML and javascript....
Ok well maybe the web is inherently broken but that's another topic :)
Precisely. I've also done some sec analysis over the years here and there. I complained about the group who did the analysis on the original version of webOS who stated something to the tune of "It's basically flawed because it's basically a web browser". It was one of the most asinine comments I think I've ever heard from a security resercher. When they make blanket statements, I've discovered, it's because they don't really know the specifics as well as they should if they did a full in-depth analysis. Typically, it's because they've got a manager type who's leaking the information who doesn't understand the details. But it makes their whole firm look like a joke.
In any case, I'd rather have a hole in a web browser that can be patched via a mandatory OTA update rather than a hole in your tcp-ip stack or data framework that can't be patched OTA. I'll guarantee you that a huge number of people wouldn't hook their phone up to their computer to reflash it if there were a low level security hole in the OS. You can have all your apps written in native code and locked down, and you still wouldn't be able to fix that underlying flaw.
Nothing a patch can't fix.
If we were using an Android phone that was more than six months old, then we would be in real trouble.
true, true
I remember on my old HTC Touch Pro when HTC refused to offer WinMo 6.5 as an upgrade, I just downloaded a cooked rom that included 6.5 from xda-developers and cut out HTC altogether.
I'm fairly certain Android has access to the same upgrade options. Better than waiting for Palm to release their upgrade 'in the coming months'. We all know what that really means.
What it likely means is they've released it but who the hell knows when the carriers will push it through. Just look at the carrier lag on 1.4.5 or any of the Android updates. Especially on VZW.
Like the myTouch 3G that was updated to Froyo 14 months after release? Or the CLIQ which received an OS upgrade over a year after release? Or the Droid, 9 months after?
Way to go Derek, what ever happened to the not publishing these kinds of exploits until a fix is available?
Sorry, but webOS 2.NO is not a fix that any of us can use.
I am so looking forward to CES 2011, but not for Palm news, made my mind up to move to Android. Will be entering lurking mode here on P|C until my year with Android is up, then may consider switching back.
So no reply to my question if the Company field in LinkedIn/Facebook synergy-synchronized data is vulnerable to this??
I'm no expert, so my naive, hopeful opinion is that fb doesn't sync to the "company" line, as far as I can tell from any of my contacts. So (again) hopefully it wouldn't be a problem.
every mobile OS is vulnerable.
All I had to do is read "Evil McEvilson" and knew it was by Derek, but I'm not really sure why it comes across as Kesslerian.
Probably because it has the signature "Kesslerian" sound to it.
It's complete bullshit that older webos phones don't have 2.0 yet. "In coming months" is just a tactic to put everyone off until the new phones come out. I'm pretty sick of Palm's crap.
Agreed. Palm/Hp employees aparently have been getting drunk and have completely forgotten about older customers.
The Palm 'haters' here have become pretty annoying, more so then fanboys usually get. It's similar to big Apple haters on engadget's comment sections. Rational discussion is pointless, which has me moving away from PreCentral more then moving away from using a Palm phone.
Really a educative and informative post, the post is good in all regards,I am glad to read this post.
http://www.cellhub.com/t-mobile-cell-phones/htc-mytouch-4g-black.html
Htc mytouch 4g
Wow. So much frustration here. I feel you, I really do. Especially for the poor saps stuck with Sprint phones who are holding on to hopes of something magical @ CES next year.
The main reason Sprint isn't carrying the Pre 2 is because it isn't 4G. Why would you launch a feature phone that doesn't run on your newfangled 4G network like other phones you already have? It doesn't make sense.
I'd say one of those codenames that p|c reported probably has to do with a 4G version Pre 2 for Sprint. However, certifying a 4G phone and running it through the tests to make sure that your hardware is up to the test probably requires more time to get going. Either way, it's not a big deal. My 1.5 year old Sprint Pre has held up remarkably well. Still kicks plenty enough ass for me to be satisfied for another several months until my contract runs out. And when it does, I'll wait. I'd hate to throw money away on apps I've already bought for some oversized Android dorkphone with a UI I don't really enjoy using and having to buy apps all over again.
Sprint has released other non-4G smartphones since the Evo and Epic.
As a teenager I hate how my mom never lets me pick a phone I want for upgrade. If it was up to me I would've picked a pre at the time but she got me a damn pixi! When this contract ends and the update still isn't out, I'm leaving PALM.
Have fun leaving Palm, but I guarantee 2.0 will be out before your contract is up (unless your mother went with a 1 year contract)
Also, stop being selfish. Be glad you even got the Pixi. You are just a selfish and spoiled brat, to say the least.
Wow dude! you really need to settle down buddy, you are talking to a kid for gods sake! What a rude, unacceptable and narcissistic comment!
Get a job and buy your own phone.
I've owned a palm pre since Sept. of last year. It was a great phone and I really enjoyed it. When my 1 year upgrade was up I was hoping palm would have a bigger and faster phone available. or 2.0 would have been available with flash just something to keep me around. I was getting tired of my slow palm pre. Especially when there are so many great phones coming out now. So i switched to Epic 4g. I don't regret it at all. Its a great phone. Don't get me wrong I love webos but Palm needs to quit dragging their feet and and release phones that are comparable to the epic and evo. Hopefully when my upgrade is up next year palm will have quality phones available.
wondering what you did w/your phone and accessories?
look who's talking. You know nothing about me. I work harder than everyone in my house but my sis does nothing and what does she get? A car. A 33 grand plus car and then she gets her an evo 2 days after she cussed my mom out! at leased I don't rob my mom's purse for money to spend on cheap quality video games. I make my own money. What do you have an EVO?
I know that you're getting upset at your mother because she got you a phone. She still got you a phone.
Perhaps your sister is more spoiled (guess what, so is mine) and selfish.. I too make my own money doing app design and development, as well as assorted software and web design and development. No, I don't have an Evo, because I find it bloated and not something I could ever use (no portrait hardware keyboard).
Perhaps I jumped the gun a bit, but the way you worded everything makes it sound like you're selfish and spoiled. Perhaps you're not. No way for me to know but to take you at your word.
Yeah, you sure sound like you work harder than anyone else in your house. That's why your mom is buying your phone (and paying for your plan as well I'm sure).
because I do. That better not be sarcasm. I don't cuss my mom out. If I did she'll terminate my line whereas in my sis' case, she does nothing to her phone or line.
What is wrong with you people? stop abusing this kid!
You really think that's a kid typing?!?
Wow.
M.
Who are you calling kid......
sorry about me snapping at u , I just tend to get really mad when someone infers a character trait about me that's not true. It's just that all my life my sis got all the attention and special items. As my my other sisters and bro, we just sat back and cleaned up all her messes. If we didn't, wed get "the belt"
Q -- What I am saying is still no 2.0 update and still no Adobe Flash. Flash being included in 2.0 is meaningless to us Sprint Pre owners without the update. My Pre has a better chance of breaking than receiving the 2.0 update, given how Palm and Sprint drag their feet when it comes to getting out updates.
So is that it? No more HP/Palm news? The dev conference is over. We've heard about the security issue. Can't anyone figure out when we will actually get the 2.0 OTA update? Or is everyone just dreaming about the Palm Pad and all the other Palm devices which may never come? And believe me--I love webos--I just want my Adobe Flash already.
The problem is that Sprint, Verizon, and AT&T all are so slow about updates that the manufacturers should just bypass these carriers and release OS updates directly.
I seem to recall hearing that WebOS 2.0 will be available for existing Pre's, Pre Pluses, and Pixis "In the coming months". Meanwhile, Why not drop some cash on a Pre 2 so you can enjoy the WebOS 2.0 user experience that those in France are getting (that is, unless you're in France or one of the other NON-USA countries who can get the Pre 2). Of course, you can always get an unlocked Pre 2. Have fun with that.
So sad.... just move on to android and come back when palm can get their head out of their ass.
You know that won't happen. If palm doesn't make a 4G phone then they can kiss sprint goodbye because sprint want 4G because of the $10 fee for using a 4G network.
Sprint has released none-4G phones since launching their 4G network (i.e. after releasing the EVO and Epic).
I love the graphic. Anyone else read it and think this? "I've got a PhD... in Horribleness!"
Craig - You need to spend more time with grad students if this is what you've been up to, Dr. Horribly Evil Evilness. Gah.