Security exploit uncovered in webOS 1.4.X, fixed in 2.0 | webOS Nation
 
 

Security exploit uncovered in webOS 1.4.X, fixed in 2.0

by Derek Kessler Fri, 26 Nov 2010 11:03 am EST

Contacts exploit discovered in webOS

Two researchers with SecTheory have announced that they have uncovered flaws in older versions of webOS that would allow for remote command and control of the devices. These exploits were discovered in webOS 1.4.X (1.4.0 through 1.4.5), but some have since been patched in webOS 2.0.

Due to webOS’ web-tech base, it will always be possible to hack the operating system using techniques similar to those used to exploit websites, though taking into consideration the fact that our phones generally contain far more personal information than any single website, it can be slightly worrying. Of course, the other side of the coin tells us that webOS wouldn’t be webOS without these web technologies. With every mobile platform there are trade-offs. Easy of programming and accessibility leads to a more easily exploited operating system.

According to the researchers, the Company field in the 1.4.X Contacts app is “unsantized,” allowing them to inject code that allowed them to pull other information from the Contacts database. Additionally, they were able to insert a JavaScript hook that enabled the use of tools such as keyloggers, possibly leading to botnets and the like.

There are at least two unmentioned caveats to this exploit: first the code isn’t executed until the user views it (it sits there until the contact containing the malicious code is opened and viewed), and the code still has to get on the device somehow. We can think of a few ways to get the code into a contacts field of your device. Insert it through a web-based contacts application (e.g. Google Contacts or their Exchange database, but then you still have to crack the user’s password) is the only remote manner we can fathom. Everything else requires either interaction with the user (accepting a transmitted vCard contact through email or other means) or physical access to the device. And if somebody else has access to your phone, you’re pretty much screwed anyway.

Overall, like every other security exploit revealed to date about webOS, we’re not too concerned. There are all sorts of ways to exploit webOS, some of which are essential to fun stuff like homebrew. That said, we’re not super huge fans of malicious exploits, and we’re glad to see that Palm has fixed this particular problem with the release of webOS 2.0. Now if only those of us that don’t have Pre 2 phones could download the new OS...

Source: Darkreading; Via: Engadget; Thanks to everybody that sent this in.