Palm WebOS Hacked Via SMS Messages 99
gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."
Wow (Score:5, Insightful)
Re:Lol (Score:5, Insightful)
Re:Dangerous? (Score:3, Insightful)
What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...
Re:Lol (Score:2, Insightful)
its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.
Re:Lol (Score:3, Insightful)
Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.
Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."
Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.
Re:Dangerous? (Score:3, Insightful)