Security flaw found in webOS 3.0 for the HP TouchPad [Update] 25
If you've just purchased or are thinking about getting a shiny new HP TouchPad, you may want to take a few minutes to read this first. Our old friend Daniel Herrera (see the update below, Orlando Barrera II is the researcher who found this flaw), who once exploited a major security bug in older versions of webOS, has spoken up once more with information about another very similar flaw at the foundations of the webOS operating system itself. A flaw that effects HP's new TouchPad device and webOS 3.0.
According to Barrera, it is the foundational nature of webOS that has doomed it in this very simple way. By creating a platform that is open and influenced directly by web languages and similarly exploited web-based hacks, HP, and Palm before them, has launched a system that makes it possible, and very easy, for hackers to inject such malicious code as keyloggers and mobile bot-nets (which would further increase the spread of either spam or the code, or both!).
The problem is found in the contacts application, which has "unsanitized" text fields, such as the Company field, that allow code to be executed on the device to pull data from Palm's servers and send them to a server under the hacker's control. While the code today is not capable of doing much outside of taking some contact details that you have saved on that device, it could quickly evolve into the much more malicious code that we mentioned above. HP has yet to respond directly about the situation, except to comment that security flaws such as this one will be dealt with immediately through the next OTA updates, something they can now control the distribution of, so we shouldn't see the kinds of delays with updates that are found with smartphones (partly due to carriers).
Barrera's intentions were not bad, and he has only published his findings to alert consumers and to give HP the opportunity to quickly fix the problem in future updates (sort of forcing their hand as well). Herrera puts it bluntly, "The only reason it hasn't been exploited before is market share, but now that HP is trying to get into the PC tablet market, it has a potentially larger market share and becomes more of a target."
So, we'll give you the same advice we hear about all major exploits of operating systems: stay away from websites you don't trust, don't open an email attachment that looks suspicious in any way, and of course, don't give your TouchPad to someone that you don't know when you can't watch them with it (who does that, though?). Other than Herrera's proof-of-concept, we haven't heard of any immediate danger to TouchPad owners using this or any other webOS security flaw, but it doesn't mean it's not already out there or in the works. Hopefully HP responds promptly with an OTA update on this, or at least give some word of assurance to the comments that are coming in.
Until then, we don't recommend that you stop using your devices either, just use wisdom while browsing. We'll keep you updated as we learn more.
Update: While we previously gave Daniel Herrera the credit for finding this exploit and publicizing it, we have received an update saying that it was actually his colleague, Oralando Barrera II, and not Daniel Herrera, who should receive credit for this research. Daniel Herrera is currently not continuing his work with webOS-related research, and Barrera, who worked closely with Daniel last year on the other security flaw in webOS smartphones, is the researcher behind this latest find.
Source: DarkReading;
25 Comments
uh-oh. hope HP pushes an update asap.
Hope HP gets on this asap. Would hate to see TP suffer because of it.
Ha!
This has been responded to at WebosRoundup & by webosinternals. Just because webOS is based on open web technologys doesn't inherently make webOS more vulnerable. Everything man-made has flaws. Nothing will ever be perfect or completely bullet proof. As Rod said, the most open OS, Linux, is also the most secure. Herrera just has an axe to grind - he's ticked that HP didn't give him credit for discovering this. This flaw won't just automatically reach out and bite you in the butt. User action is required - you have to import a contact. How often do you import a vcf? I know most of my importing is done in gmail & the like.
"foundational nature of webOS that has doomed it in this very simple way"
This is misleading. There is nothing special about webOS that makes it more vulnerable than any other web technology.
There are well understood coding techniques to protect against these exploits. There are tools available to test for these coding mistakes.
I've always argued that we should expect more help from the browser vendors. This would have a performance cost though.
Imagine HTML text elements with a "noScripting" attribute. Come on W3C!
Check his bank account for a deposit from Apple.
Yeah, I'm sure Apple is waging trench warfare to make sure webOS doesn't catch up.
:-)
if so they are winning in the trenches
Unsanitized text fields make me hot. I hope they leave it as is.
Looks like Apple has the same problems.
http://online.wsj.com/article/SB1000142405270230336580457643154110270113...
Apple Inc. said Thursday it is working to resolve a security hole in its iPhone and other mobile products that German authorities warned could allow cyber criminals to access confidential information or intercept telephone conversations.
Users are particularly vulnerable when they view Portable Document Format, or PDF, files, which give attackers an opportunity to infect the devices with malicious software, giving them administrative rights to the device, the German Federal Office for Information Security said Wednesday.
Once infected, cyber criminals could read confident information such as passwords, online-banking data, calendars, e-mails and other information, as well as intercept telephone conversations and the location of the user. The security hole is present in several versions of Apple's iOS software on its iPhone, iPad and iPod Touch products, the agency added.
Read more: http://online.wsj.com/article/SB1000142405270230336580457643154110270113...
I make it a habit to not get too worked up about "security vulnerabilities" that require me to do something, or require physical access to the device. If someone wants to impress me with how weak webOS security is, I'll lay my device on the table, and you access my sensitive personal data on it without anyone touching it.
this stuff happens. it's just up to HP/Palm to stay on it and quickly keep closing security holes as they are found.
Precentral: This security flaw is NOT due to the web technologies of WebOS. It is due to poor programming choices by the WebOS implementation team. This is the same as SQL-Injection flaws. SQL Injection flaws are not there because companies chose to use web technologies or databases, but rather because they ignored proper coding/security practices for the web/database technologies.
https://developer.palm.com/distribution/viewtopic.php?f=21&t=15987
The Contacts exploit was minor compared to the two other exploit which HP was informed about (Email and SMS); however, due to the hostile response from HP in regards to those security issues it was necessary to bring attention to other security issues related to this product. This exploit is not as harmful as others I have found (PDF, Buffer Overflow). Check out the video on the email exploit which HP denied existed after I informed them of the issue. I have been able to compromise the device with no user action and get malicious code to execute; but I am so tired of messing with WebOS I just want the vendor to "Fix" the product (Yes, using eval, sanitizing user input, "noScripting" attribute would be a great start). Either way now the end user can make an informed decision when buying the product and be aware of risks using the product.
Wow it's hard to believe that there's a post that's effectively bashing WebOS on THIS website. Seriously? Many commenters have already pointed it out. The 'foundational nature'? Gimme a break.
Some coder broke the holy rule of 'NEVER trust external JSON' and didn't add sanitization. That's all this is. Nothing more. It happens everywhere in the web world.
I hope this article gets changed soon because right now it's nothing but a sensationalist nonsense piece that actually bashes WebOS... On a WebOS fan site. WTF?! anyone?
I guess this means my company will not approve this device for use. They allow BB, Android and the iPhone but no WebOs. I have a Pre+ and I can't sync with our corporate server. It really suck and may ultimately be the reason I go to the dark side.
Like those devices have no issues...
guess they better not use computers. Or paper, which could be copied in a copy machine.
I know! Stone tablets! Hard to steal or copy (scratches the glass too much).
I on the other hand, am enjoying showing off my Pre2 on it's Touchstone in my truck, with MS Sync doing phone calls, Music Remix playing over my speakers via MS Sync, all without having to touch my phone.
When I get home, I can take calls on my Touch Pad and see my Facebook messages in e-mail. As for security vulnerabilities, well I guess I won't accept any vcf cards from **** or cocaine sites.... darn
@TheMarco
As a software developer I love WebOS and the open source community which has contributed to the project. My intentions were not to "bash" the WebOS project, nor start a flame war, only to discuss security issues related to the product and the vendors response. If you feel non disclosure is better then responsible or full disclosure, that is another topic.
I don't think ANY part of my comment indicates that I feel 'non disclosure is better'. I have absolutely no idea where you got that. I'm also curious how you got to the whole 'flamewar' thing. See anyone flaming? I don't really.
My point was, and still is: An exploit was found because some developer(s) forgot to sanitize external input. The security hole is going to be plugged.
The whole thing has absolutely NOTHING to do with the open nature of webOS or any other webOS architecture related thing. Issues like this pop up on any OS / platform.
HP actually markets solutions for scanning web applications for vulnerabilities: http://www8.hp.com/us/en/software/software-solution.html?compURI=tcm:245...
Not to tough to get a handle on this...
HP also says in the thread that malloci references above that this will be fixed in the next OTA update.
https://developer.palm.com/distribution/viewtopic.php?f=21&t=15987
or maybe there will be a vcf with a secret spy hack into your Pre or TP. AAAGGGGHHHH!