All the latest UK technology news, reviews and analysis
|
|
|
19 Apr 2010
Researchers have managed to crack Palm's webOS with a simple text message. The team at Intrepidus Group worked on a Palm Pre running the 1.3.5. version of the webOS operating system, and found it open to many common vulnerabilities due to its inherent design.
"As we started to pry a little it became quite apparent that Palm's new WebOS platform was riddled with some pretty dangerous bugs," said the team in a blog post.
"These bugs can all be traced back to the fact that webOS is essentially a web browser and the applications are written in JavaScript and HTML.
"This also means that webOS applications are subject to the numerous web applications vulnerabilities that any seasoned penetration tester would be all too familiar with."
The researchers loved the operating system as a concept, but were scathing about the security of the handset, saying that Palm must have put "almost no thought into security".
They found common web application flaws built into applications that Palm had written itself.
The team said that the SMS system did not perform input/output validation. This allows an HTML injection attack by inserting an iFrame into the message, which is automatically activated. The team then demonstrated this in a video.
The announcement comes at a low point in Palm's history, with poor financial results, the resignation of its chief executive and rumours of a takeover in the offing.
UPDATE: Intrepidus Group has updated its post to point out that its findings affect an older version of the Palm OS.
"Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed," the firm noted.
Latest stories from Communications
Related videos
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Ihre Aufgaben Sie sind zuständig für die Beratung...
***MS Visual Basic Programmierer mit Oracle DB-Erfahrung...
IT Business Analyst Location: London, but...
Senior Software Developer Company overview...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Topsy Turvy report
The heading for the news story should be "Palm closes vulnerabilities with WebOS update". But since the update is months old, it's not news, since the vulnerabilities have only been exploited in an earlier version and after the update. Why not do the same for any OS? It would be true. Find some real news.
Posted by: Donald Duck 20 Apr 2010
Harsh
Yeah, come on guys. Posting bad news about a struggling company when the news is outdated is kicking them when they are down, and utterly pointless. There were issues in the old WebOS version, and they were fixed in the next release. It's a new OS, it'll take time to iron out all the bugs. This is my first Palm device, and I think it's an outstanding package. I for one hope that Palm survive this and keep working on the OS and their handsets, as I'd never want another smartphone. Additionally, updates are rolled out over the air automatically, so there is no reason why any handset shouldn't be running the latest WebOS version.
Posted by: Graham 20 Apr 2010
Old news
That was OS version 1.3.5. Palm addressed these issues in subsequent OS updates (1.4.x), which have been pushed to all phones. So...why is this "news"?
Posted by: Charles Alexander 20 Apr 2010
really...
The mere fact that you are posting this on april 19th, 2010 is nothing but belligerent and disrespectful. Who hired you are journalists....monkeys? Version 1.3.5 of the Web OS hasn't been out for FOUR MONTHS.
Posted by: rob 20 Apr 2010