Follow Slashdot stories on Twitter


Forgot your password?
Cellphones Handhelds Security

Palm WebOS Hacked Via SMS Messages 99

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."
This discussion has been archived. No new comments can be posted.

Palm WebOS Hacked Via SMS Messages

Comments Filter:
  • Wow (Score:5, Insightful)

    by coniferous ( 1058330 ) on Monday April 19, 2010 @01:36PM (#31898888) Homepage
    I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.
  • Re:Lol (Score:5, Insightful)

    by jsnipy ( 913480 ) on Monday April 19, 2010 @01:43PM (#31899054) Journal
    Its more about testing processes as opposed development processes ("coding").
  • Re:Dangerous? (Score:3, Insightful)

    by SoTerrified ( 660807 ) on Monday April 19, 2010 @01:44PM (#31899058)

    What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

  • Re:Lol (Score:2, Insightful)

    by 228e2 ( 934443 ) on Monday April 19, 2010 @01:47PM (#31899126)
    Nah, parent is correct.

    its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.
  • Re:Lol (Score:3, Insightful)

    by ravenscar ( 1662985 ) on Monday April 19, 2010 @02:16PM (#31899530)

    Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.

    Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."

    Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.

  • Re:Dangerous? (Score:3, Insightful)

    by Itninja ( 937614 ) on Monday April 19, 2010 @02:19PM (#31899578) Homepage
    What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0