Security flaw found in webOS 3.0 for the HP TouchPad [Update] | webOS Nation

Security flaw found in webOS 3.0 for the HP TouchPad [Update]

by Tim Stiffler-Dean Thu, 07 Jul 2011 2:50 am EDT

If you've just purchased or are thinking about getting a shiny new HP TouchPad, you may want to take a few minutes to read this first. Our old friend Daniel Herrera (see the update below, Orlando Barrera II is the researcher who found this flaw), who once exploited a major security bug in older versions of webOS, has spoken up once more with information about another very similar flaw at the foundations of the webOS operating system itself. A flaw that effects HP's new TouchPad device and webOS 3.0.

According to Barrera, it is the foundational nature of webOS that has doomed it in this very simple way. By creating a platform that is open and influenced directly by web languages and similarly exploited web-based hacks, HP, and Palm before them, has launched a system that makes it possible, and very easy, for hackers to inject such malicious code as keyloggers and mobile bot-nets (which would further increase the spread of either spam or the code, or both!).

The problem is found in the contacts application, which has "unsanitized" text fields, such as the Company field, that allow code to be executed on the device to pull data from Palm's servers and send them to a server under the hacker's control. While the code today is not capable of doing much outside of taking some contact details that you have saved on that device, it could quickly evolve into the much more malicious code that we mentioned above. HP has yet to respond directly about the situation, except to comment that security flaws such as this one will be dealt with immediately through the next OTA updates, something they can now control the distribution of, so we shouldn't see the kinds of delays with updates that are found with smartphones (partly due to carriers). 

Barrera's intentions were not bad, and he has only published his findings to alert consumers and to give HP the opportunity to quickly fix the problem in future updates (sort of forcing their hand as well). Herrera puts it bluntly, "The only reason it hasn't been exploited before is market share, but now that HP is trying to get into the PC tablet market, it has a potentially larger market share and becomes more of a target."

So, we'll give you the same advice we hear about all major exploits of operating systems: stay away from websites you don't trust, don't open an email attachment that looks suspicious in any way, and of course, don't give your TouchPad to someone that you don't know when you can't watch them with it (who does that, though?). Other than Herrera's proof-of-concept, we haven't heard of any immediate danger to TouchPad owners using this or any other webOS security flaw, but it doesn't mean it's not already out there or in the works. Hopefully HP responds promptly with an OTA update on this, or at least give some word of assurance to the comments that are coming in. 

Until then, we don't recommend that you stop using your devices either, just use wisdom while browsing. We'll keep you updated as we learn more.

Update: While we previously gave Daniel Herrera the credit for finding this exploit and publicizing it, we have received an update saying that it was actually his colleague, Oralando Barrera II, and not Daniel Herrera, who should receive credit for this research. Daniel Herrera is currently not continuing his work with webOS-related research, and Barrera, who worked closely with Daniel last year on the other security flaw in webOS smartphones, is the researcher behind this latest find.

Source: DarkReading;