Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Palm WebOS Hacked Via SMS Messages

Soulskill posted more than 4 years ago | from the and-a-sausage dept.

Cellphones 99

gondaba writes "Security researchers at the Intrepidus Group have hacked into Palm's new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities. The white hat hackers found that the WebOS SMS client did not properly perform input/output validation on any SMS messages sent to the handset, leading to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over an SMS message)."

cancel ×

99 comments

Sorry! There are no comments related to the filter you selected.

Lol (2, Funny)

Codename Dutchess (1782238) | more than 4 years ago | (#31898750)

These are always my favorite posts to read. Nothing like hiring 12 year olds to code your software.

Re:Lol (1)

WrongSizeGlass (838941) | more than 4 years ago | (#31899044)

I think the problem is that they didn't have 12 year olds try to hack their software during the security QA phase.

Re:Lol (4, Insightful)

jsnipy (913480) | more than 4 years ago | (#31899054)

Its more about testing processes as opposed development processes ("coding").

Re:Lol (2, Insightful)

228e2 (934443) | more than 4 years ago | (#31899126)

Nah, parent is correct.

its really not that hard to write protective measures for, of all things, input validation. thats literally day 3 material in any intro web programming class these days.

Re:Lol (2, Funny)

FatdogHaiku (978357) | more than 4 years ago | (#31899642)

Obligatory XKCD [xkcd.com]

Re:Lol (0)

Anonymous Coward | more than 4 years ago | (#31899920)

Obligatory post pointing out that everyone has seen that comic, and that posting it is a wonderful example of karma whoring.

Re:Lol (1, Funny)

Anonymous Coward | more than 4 years ago | (#31900426)

Obligatory post pointing out that nobody cares what an AC says ... including this post.

Re:Lol (1)

znerk (1162519) | more than 4 years ago | (#31900984)

Re:Lol (Score:0)
by Anonymous Coward writes: on Monday April 19, @02:08PM (#31900426)
Obligatory post pointing out that nobody cares what an AC says ... including this post.

Where are my mod points?!?

Re:Lol (2, Funny)

bhtooefr (649901) | more than 4 years ago | (#31901848)

Obligatory post pointing out that funny doesn't give karma.

Re:Lol (0)

Anonymous Coward | more than 4 years ago | (#31899648)

In the real world of software production it is a matter of verification vs. developer judgment. Small shop folks who write code small projects cowboy style typically do not understand this.

WebOS does display sanitization by default (4, Interesting)

ensignyu (417022) | more than 4 years ago | (#31900256)

You have to explicitly enable the "I know what I'm doing, stop protecting me" flag in your app to allow these types of exploits.

http://developer.palm.com/index.php?option=com_content&view=article&id=1756 [palm.com]

Re:WebOS does display sanitization by default (0)

Anonymous Coward | more than 4 years ago | (#31900806)

They work by default on 1.3.5. Your statement is only true after the Intrepidus exploit was reported and patched.

Re:WebOS does display sanitization by default (1)

ensignyu (417022) | more than 4 years ago | (#31901286)

Sanitization has been on by default [google.com] since WebOS 1.1.

It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.

Re:WebOS does display sanitization by default (1)

Jahava (946858) | more than 4 years ago | (#31901626)

Sanitization has been on by default [google.com] since WebOS 1.1.

It's up to the individual developers to make sure their app is secure -- which it is by default if they don't disable the security features provided by WebOS.

This suggests that the developer of the SMS app in question (which is still Palm, I think) explicitly declined to utilize WebOS's sanitization support. While I'll give basic kudos to the WebOS developers for foreseeing this issue and negating it by default, it still stands that Palm released a live operating system with a vulnerable (at its own request) SMS application. The WebOS developers might have been smart, but the SMS application developers ruined the party for everyone.

So anyone want to brainstorm why an SMS application would want to manually opt-out of input sanitization? Seriously ... I can't think of any... :-/

Re:WebOS does display sanitization by default (0)

Anonymous Coward | more than 4 years ago | (#31904776)

Plausible deniability for a way to 'jailbreak' the OS.

Re:WebOS does display sanitization by default (1)

someSnarkyBastard (1521235) | more than 4 years ago | (#31906456)

That may indeed be true but how many release-quality products do you think ship with that code turned off for performance reasons?

Re:Lol (1)

Mister Whirly (964219) | more than 4 years ago | (#31900604)

Day 3 material? This is day 1 material. "Never trust user input." Hell, it could be lesson 1.

Re:Lol (3, Insightful)

ravenscar (1662985) | more than 4 years ago | (#31899530)

Sure, the developers should have known better, but issues like this pop up due to an inherent problem in most software development processes. That problem is that specs are written that say what the software should do. Every once in a while the specs note a couple things the software shouldn't do. The specs then go to testers who make sure that the software does everything in the specs and, when it meets spec, everyone signs off. There's often little attention paid to making sure that software DOESN'T do things that aren't spec'd. This problem is further exacerbated in many shops that outsource testing to vendors. In such situations the testers cover only the very specific items noted in the contract and nothing else.

Shops that want to prevent problems like this need to bring back some creative types for testing. You know, the ones you can hand a device to and say "I dare you to f*ck this thing up" and who will take it as a challenge. Unfortunately, those types often command a higher $$ figure than management is willing to pay when "there is a team of people in India who'll test this thing to spec for $30 an hour."

Of course, you need a little bit of both in this world. It's important to have spec testers who'll follow strict methodology just as it's important to have creative testers that will find all that stuff nobody thought about.

Re:Lol (1)

mantis2009 (1557343) | more than 4 years ago | (#31899668)

RTFA - webOS 1.4 (the current version) patches this vulnerability. Stop beating up on Palm.

This Just in... (1)

chriso11 (254041) | more than 4 years ago | (#31899720)

Other 'news' - Apparently, Apple is going to make a phone! Maybe it's will be as big as the Ipod!

Re:Lol (0)

Anonymous Coward | more than 4 years ago | (#31904874)

(whining loludly)Leave (Palm)Britany alone... sniff... sniff...

Re:Lol (1)

aXis100 (690904) | more than 4 years ago | (#31905658)

Why give them credit? They must have had very shitty standards to allow this bug to exist in the first place, so who's to say there arent more?

Dangerous? (1)

Itninja (937614) | more than 4 years ago | (#31898816)

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

Re:Dangerous? (0)

Anonymous Coward | more than 4 years ago | (#31898912)

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

Something like this isn't dangerous (unless it's a Microsoft product with the vulnerability).

Re:Dangerous? (2, Insightful)

SoTerrified (660807) | more than 4 years ago | (#31899058)

What if you're trying to call 911 but your phone has been rooted? I'd call that dangerous and could very easily cost lives or property...

Re:Dangerous? (2, Insightful)

Itninja (937614) | more than 4 years ago | (#31899578)

What if you need to call 911 and you battery is dead? Are dead batteries a danger to lives or property?

Re:Dangerous? (1)

perryizgr8 (1370173) | more than 4 years ago | (#31899948)

what if you are trying to call 911 and at&t network is gone? is at&t a danger to lives or property?

Re:Dangerous? (1)

netsharc (195805) | more than 4 years ago | (#31900586)

To be pedantic, emergency calls are priority-routed through any available GSM network, and it even works without a SIM card in the phone. Although apparently they want to disable that last feature because too many idiots call up 911 without a card in the phone, and they can't trace them.

Re:Dangerous? (1)

KiwiSurfer (309836) | more than 4 years ago | (#31903486)

Routing calls without a SIM card is not the case in some countries. In New Zealand, for example, all carriers have disabled non-SIM emergency calls at the request of the emergency services. However any phones with a valid SIM in it will be able to make emergency calls.

Re:Dangerous? (1)

ianare (1132971) | more than 4 years ago | (#31899968)

Yes, they are. I would consider a phone that has longer battery life to be safer.

Re:Dangerous? (1)

NiteShaed (315799) | more than 4 years ago | (#31902388)

Yes, they are. I would consider a phone that has longer battery life to be safer.

How long is long enough for you then? Emergencies generally can't be predicted, so unless your battery life is "infinite", it's just as possible that you'll desperately need your phone 5 minutes after you take it from the charger as it is that you'll need it 12 hours after its last charge....

Re:Dangerous? (0)

maxwell demon (590494) | more than 4 years ago | (#31903002)

The longer your battery lasts, the less the fraction of time the battery is empty.

Re:Dangerous? (1)

ianare (1132971) | more than 4 years ago | (#31903156)

I would say at least 48 hours, if I spend the night out I should'nt have to bring a charger. This is becoming less of a problem with the introduction of universal chargers, but most people have proprietary chargers still. An emergency can and has arrived on my way home from a friend's house late one night, my phone was dead - it only lasts about 10 hours.

Re:Dangerous? (1)

WrongSizeGlass (838941) | more than 4 years ago | (#31899102)

this bug and vulnerabilities are bad, even severe, but dangerous? I can think of no scenario where lives or property would be at stake. I guess the personal data could be used for something untoward....

What if they used the dreaded "KaBoom" SMS exploit to trigger the Palm's self destruct mechanism? Then their personal data would be allllll over the place.

Re:Dangerous? (1)

gyrogeerloose (849181) | more than 4 years ago | (#31899542)

this bug and vulnerabilities are bad, even severe, but dangerous?

Considering the WebOS has only about 5% of the smartphone market [prethinking.com] , it's probably not very dangerous at all.

Re:Dangerous? (0)

Anonymous Coward | more than 4 years ago | (#31899818)

Downloading kiddie porn to someone's phone? Uhh yeah.. very dangerous.

Re:Dangerous? (1)

Itninja (937614) | more than 4 years ago | (#31899990)

About as dangerous as leaving you phone unattended for as few as 5 minutes. No lives or property would be at stake. What's more, as soon an any investigation started this hack would be detected and the charges dropped.

Re:Dangerous? (1)

dgatwood (11270) | more than 4 years ago | (#31900782)

Six weeks after the newspaper runs a story accusing you, your employer gives you a pink slip, and the entire town vilifies you....

Re:Dangerous? (1)

Itninja (937614) | more than 4 years ago | (#31903372)

Doubtful. It's not like it is on TV. In many vicious custody battles (or any other heated legal conflict) accusations of "being a pedophile" or planting "kiddie porn" (along with many other false accusations) are not that uncommon. Just like anything else, the issues are investigated (usually via search warrant on our computer) and, if found to be fraudulent, dismissed. Nothing even goes to court.

Re:Dangerous? (1)

izomiac (815208) | more than 4 years ago | (#31900118)

I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is leaked and used nefariously.

For people that don't deal with life or death situations, it is much harder to contrive a scenario where an electronic device malfunctioning might cause harm (well, economic harm is easy). I suppose someone could cause the phone to play a loud noise to distract a vehicle driver at a crucial moment. Or perhaps someone could make a cheap lithium ion battery explode, although there should be dozens of safeguards preventing that. The most likely though, would be for stalkers to be able to track their victims much more effectively, which would cause emotional harm if nothing else.

Re:Dangerous? (1)

dmmiller2k (414630) | more than 4 years ago | (#31900546)

Um, know any doctors with Palm WebOS based phones?

Of course not, they all carry Blackberries.

Re:Dangerous? (1)

izomiac (815208) | more than 4 years ago | (#31902078)

Actually I do. The iPhone and Android predominate though, since they run the best versions of medical software (colored graphs, pill identifiers, misc. smaller apps, etc.). Blackberries aren't very popular around here since they require a $100 software package plus an extra $20/month to check one's university e-mail. Palms are the rarest, but a few people use them. OTOH, the relative popularity of each platform differs by demographics and institution.

Re:Dangerous? (1)

Achromatic1978 (916097) | more than 4 years ago | (#31904190)

I can think of a few, especially with the medical field. If a hospital can't get in touch with the doctors on call because they all have similarly compromised phones then I'd imagine that patient care would suffer. Or if the phones become so glitchy that Epocrate's drug interaction checker doesn't work, leading to that step geting skipped since there's no time to do it manually (3! to 15! possible interactions per patient). Or the doctor's account on the EMR system is compromised so patient information is leaked and used nefariously.

Since you mention Epocrates, I'm going to presume you're in the field. To which I say, if your on-call system for emergency physicians relies solely on cell systems, you're doing something wrong. As someone also in the field, a day job involving EMR, part time EMS, training as a full time medic, if there's even the slightest possibility you might be required on call/demand in our system, pre-hospital or hospital, you have a cell phone and a pager (and in our case we run a pager network, with county-owned towers to ensure as high a quality of reception as possible).

Re:Dangerous? (1)

izomiac (815208) | more than 4 years ago | (#31905482)

I'm still a student, a couple months away from clinical rotations, so it's very possible there are multiple methods of contact. I have seen very few people carrying multiple devices though, so I don't think there is that much redundancy here. OTOH, "here" is a pretty large hospital in a decent sized city with good cell coverage, so I suspect only the most essential personnel have a dual device requirement.

Re:Dangerous? (1)

gmhowell (26755) | more than 4 years ago | (#31905814)

Trust me, most of the time, the nurses don't need you. You just get in the way of people doing actual patient care.

(GF is a nurse, father is a doctor, sadly, this isn't a troll.)

Sausage? (0)

Anonymous Coward | more than 4 years ago | (#31898872)

After watching that, I somehow feel compelled to review all the security risks and exploits on the iPhone, and use my sausage *cough* on the touch screen...

Wow (5, Insightful)

coniferous (1058330) | more than 4 years ago | (#31898888)

I cannot belive that: a) An exploit like this exists. SANITIZE ALL INPUTS! b) It took this long to find. This reminds me a lot of the exploit on android where it acted like all text entered was typed into a terminal.

Re:Wow (1)

interval1066 (668936) | more than 4 years ago | (#31899170)

No kidding, this is like html 101. Every employer I've spoken to since the 90's who was considering me for any kind of web work has asked me if I know how to guard against xss and sql injection attacks. This is not some arcane black art. No wonder Palm is failing. And I like WebOS as a platform.

Re:Wow (1)

Hurricane78 (562437) | more than 4 years ago | (#31899724)

It took this long to find.

Hey, this is the fastest exploit ever done by a user community... of about 3 people. ^^

Re:Wow (0)

Anonymous Coward | more than 4 years ago | (#31899728)

They do sanitize *some* text message inputs -- like they strip everything between , so that the messages from my Asterisk answering machine never show the actual phone number.

I.e., they strip actual valuable content. Sweet!

Poor Roger McNamee is going to lose a few dozen million on Palm if / when they ever do get sold. Huge tears of woe.

Re:Wow (1)

jellomizer (103300) | more than 4 years ago | (#31899768)

You are making the assumption that the part that does the rendering of the SMS calls and formatting were part of the same group that takes the SMS and call the function. You assume that this was in the specs for people to follow. And no one brought it up because they though the other team has the problem fixed. And the they had a timeline where they could make this issues for all systems...

Re:Wow (3, Interesting)

teknopurge (199509) | more than 4 years ago | (#31900238)

There was an SMS exploit for a version of iPhone OS that would brick it, and just checking with a few people there are some nasty 0-days out there for it. At least you can't turn the Palm into a paperweight from 10,000 miles away...

Re:Wow (1)

omglolbah (731566) | more than 4 years ago | (#31901812)

That wasnt actually an exploit.

That was someone forgetting to disable a debugging shell with a global input hook :-p

eh hem... (1)

djupedal (584558) | more than 4 years ago | (#31898986)

"...rudimentary HTML injection bug...."

There are so many wrongs going on at once there. I'll just pick one, load a round in the chamber and mutter 'rudimentary' is redundant. Ok, two...'injection bug'? WTF? --- now get off my lawn!

WebOS 1.4 (5, Interesting)

spiderbitendeath (577712) | more than 4 years ago | (#31899008)

My Pre is running the latest 1.4.1.1 WebOS version. I tried their "exploits" on it, it did nothing, had no affect on it. In the video they're running an outdated version of WebOS, 1.3.5. WebOS will download updates OTA automatically, and install them if you don't do it after a certain number of days. To me, the likeliness of these still being issues is close to null and void.

Re:WebOS 1.4 (1)

Codename Dutchess (1782238) | more than 4 years ago | (#31899106)

But the fact remains, that if this went so long without being published, what else could be buggy? This might have been small, but at revision 1.3.5 they still didn't figure it out? I can't imagine what comes next.

Re:WebOS 1.4 (0)

Anonymous Coward | more than 4 years ago | (#31899264)

But the fact remains, that if this went so long without being published, what else could be buggy? This might have been small, but at revision 1.3.5 they still didn't figure it out? I can't imagine what comes next.

DO NOT breathe air! You don't know what else could be in it! Surely it could be POISON! MUAHAHAHAHAH

What comes next (1)

Neuroelectronic (643221) | more than 4 years ago | (#31899436)

Automatic uploading of videos to Youtube, integration of MyFace contacts.

Re:WebOS 1.4 (1)

aitikin (909209) | more than 4 years ago | (#31899322)

Mind you, these were disclosed to Palm so they could fix them before 1.4 was released (at least that's what is claimed in the video).

Re:WebOS 1.4 (4, Informative)

X0563511 (793323) | more than 4 years ago | (#31899374)

1.4 explicitly fixed these issues.

Re:WebOS 1.4 (1)

nurb432 (527695) | more than 4 years ago | (#31901532)

But a headline of 'Severe bug fixed several revisions back, all is safe' isn't as likely to get readers.

Re:WebOS 1.4 (2, Funny)

X0563511 (793323) | more than 4 years ago | (#31903726)

Indeed. I actually jumped into the developer's IRC channel to check in on this, and one of them told me about it being fixed already.

I felt like an ass. Thanks, Slashdot.

Re:WebOS 1.4 (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31899468)

had no affect on it.

effect

Re:WebOS 1.4 (0)

Anonymous Coward | more than 4 years ago | (#31899978)

So a whitehat security firm practiced responsible disclosure and got things patched before publishing, and you're here to get marked "Interesting" for complaining that you can't exploit a production handset?

I love this website.

Anonymous Coward (2, Informative)

Anonymous Coward | more than 4 years ago | (#31899040)

This has been fixed with the 1.4 update, not sure why it's news.

Re:Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31899334)

Yeah and not only that, it's not even made by Apple. If we're not bashing the iP*, we've got nothing to talk about!

Re:Anonymous Coward (1)

hduff (570443) | more than 4 years ago | (#31899934)

This has been fixed with the 1.4 update, not sure why it's news.

It's news because it was in a 1.x version and it's a basic coding fuckup they were slow and careless not to have fixed before now.

Who knows what else they have yet to fix?

That's why it's news.

Re:Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31901464)

It's news because Apple didn't announce a product today. This was reported and fixed a long ass time ago. If they ran an article for every fixed bug in windows no matter how simple the bug may seem, we'd never read news about anything else.

Re:Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31904724)

webOS has been out for 10 months and you're bashing them for an SMS vulnerability the quickly fixed when notified. Jesus. The iPhone had SMS flaws for YEARS before they were discovered and fixed (all the way up through the 3.0 firmware): http://news.cnet.com/8301-27080_3-10299378-245.html

Get a life. Kudos to Palm for quickly resolving the issue and to the finders of the vulnerability for notifying Palm and giving them time to produce a fix.

Re:Anonymous Coward (1)

gtbritishskull (1435843) | more than 4 years ago | (#31902220)

The whitehat team that found it told Palm about it before 1.4 was released and did not publish the exploit until it had been patched. I don't think they should get punished publicity-wise because they decided to follow ethical practices.

Palm Buyer (-1, Troll)

kiehlster (844523) | more than 4 years ago | (#31899064)

Well, if they don't find a buyer, this won't be a problem anymore. We can then purge the system of Palm devices arguing that people are using ancient devices from an extinct company.

Little Bobby Tables? (0)

Anonymous Coward | more than 4 years ago | (#31899078)

Those aren't randon text messages; they're student records.

http://xkcd.com/327/

Re:Little Bobby Tables? (0)

Anonymous Coward | more than 4 years ago | (#31899298)

best xkcd ever!

If SS7 gateways are hackable, why not phones ? (0)

Anonymous Coward | more than 4 years ago | (#31899408)

This isn't at all surprising. Even infratructure equipment is hackable using SMS messages.

Re:If SS7 gateways are hackable, why not phones ? (1)

Neuroelectronic (643221) | more than 4 years ago | (#31900654)

Only if you consider purposeful backdoors disguised as simple vulnerabilities the same thing as simple vulnerabilities.

Fixed in the 1.4 (0)

Anonymous Coward | more than 4 years ago | (#31899472)

Since this was fixed in the 1.4, this can only be some no name "security" company trying to make a name for itself. A really poor one at that, they can take already known issues and exploit them... And hey with results like these, they should have no problems exploiting any unpatched Windows 95 machine still running out there.

Re:Fixed in the 1.4 (0)

Anonymous Coward | more than 4 years ago | (#31899738)

Or, alternatively, it was the security company that found the exploit and warned Palm about it so they could fix it for 1.4, and is now releasing the vulnerability for discussion.

But hey, that would have required reading the article.

Well, whaddaya know? (0, Flamebait)

dahud (1793234) | more than 4 years ago | (#31899482)

Palm? I'm surprised they still even exist. The last contact I had with them was a b&w PDA ten years ago.

Re:Well, whaddaya know? (1)

changa (197280) | more than 4 years ago | (#31899838)

How is that rock you have been living under?

Re:Well, whaddaya know? (1)

dahud (1793234) | more than 4 years ago | (#31900040)

Nice and cozy, thanks.

On the positive side (0)

Anonymous Coward | more than 4 years ago | (#31900070)

At least noone will actually be affected because noone owns a palm phone anymore

Re:On the positive side (1)

joetomato (1073508) | more than 4 years ago | (#31901222)

I just bought one last week, and my wife's will be getting here either today or tomorrow, you insensitive clod!

Intrepidus are straight up losers. (0)

Anonymous Coward | more than 4 years ago | (#31900204)

Basically, here's the deal: Palm fixes all these bugs, but Intrepidus wants to drum up more business, so they release a mocking video of all the bugs that Palm ALREADY FIXED in an OS that updates itself really well (and most users want the updates badly because Palm releases features with each of them). Would you want to pay a company to pull that kind of crap with your product? I wouldn't think so.

Oh, yeah...and the OS itself has only been out for less than a year. Of course you're going to find exploits...what do you expect, absolute perfect security right out of the gate?

Not only that, Intrepidus takes the biggest cop out for a security company there is: "Well, uhhh, because it's browser based or something...uhhh...there's like, security holes and whatever." It's NOT browser based. webOS is LINUX BASED. It has a UI that incorporates a modified WebKit engine. Not only that, just saying there's a browser integrated into the front end isn't an instant security hole. Browsers are software. Software can have bugs, and bugs can be fixed. Would you say that unrelated software product A is instantly vulnerable to the same holes as unrelated software product B? When I hear a security engineer take that track with me, he/she loses all credibility. Security outfits are specialized QA houses and nothing more. Their job is to take money, use a systematical process to find bugs, then report them. They are paid for their confidentiality and their work. When they cop out on both fronts, they prove themselves to be nothing more than a scam shop of 14 year old jackoffs with a 23 year old douchebag boss trying to make a name for themselves.

Re:Intrepidus are straight up losers. (2, Informative)

zullnero (833754) | more than 4 years ago | (#31900232)

Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.

Re:Intrepidus are straight up losers. (0)

Anonymous Coward | more than 4 years ago | (#31901594)

Oh, darn it. Slashdot's login script didn't execute in time for me to post this as myself.

I'm getting tired of this. Stop trying to take credit for my work!

I tried this on my phone (0)

Anonymous Coward | more than 4 years ago | (#31900390)

and it failed.

Security Team: 0
Palm: 1

Re:I tried this on my phone (0)

Anonymous Coward | more than 4 years ago | (#31903848)

My god, I remember a time when slashdot didn't had all those stupid looser making comments on things they didn' understand. More than half of the comments down there are yay palm fixed it so meh.

Stupid stupid people, please don't post your turd if you didn't even read the story neiher understood the stuff that happened

yuo fail 1t (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31900860)

Pallid bodies and Share. *BSD is partner. And i"f on my Pentium Pro fanatic known

YOU FAIL IT?! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31901232)

your Spare 7ime [goat.cx]

failzor(s (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31901320)

Nohing to see here, please move along (2, Informative)

loftwyr (36717) | more than 4 years ago | (#31901762)

From the source release:

(Note: the findings herein affect WebOS 1.3.5. Palm has since released WebOS 1.4, which fixes these vulnerabilities, though not all handsets or carriers are running this version. Due to contractual agreements, the public disclosure of this information was delayed.)

Javascript Handicap (1)

r7 (409657) | more than 4 years ago | (#31902010)

These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML.

The article is accurate in so far as JavaScript is concerned. Palm has a long way to go if they ever hope to implement javascript securely on the scale they're using it. Checks have to be built into the SDK and the client engine, and they have to be updated regularly (quite frequently if Firefox' Noscript is any benchmark).

I've authored enough JS (not to be confused with CSS) to doubt that Palm will be able to do it. Nobody else has implemented JS securely, so WebOS device owners should expect to be hacked and use their cell phones accordingly.

Minor thing on minor OS in old version has bug (1)

SlappyBastard (961143) | more than 4 years ago | (#31904872)

Yay, Slashdot. Some days I wonder if my time wouldn't be better spent in the comments section of Digg.

I'm going to get flamed for this but... (1)

aXis100 (690904) | more than 4 years ago | (#31904944)

This is why "software engineering" fails to be taken seriously. How in this day and age an OS can be released without simple checks and balances like input validation is beyond me. The only excuse is "the developer couldnt be bothered, and no-one checked up on him".

Most programmers these days are the equivalent or tradespeople and artisans - sure many of them are very talented, but as a group still lack the formal QA and inherent attention to risk management that any real engineering should have.

Re:I'm going to get flamed for this but... (1)

aXis100 (690904) | more than 4 years ago | (#31905224)

Sorry, it was the SMS client and not the core OS, but the fact that it could still be hacked though injection is bad.

I don't understand (1)

Pence128 (1389345) | more than 4 years ago | (#31905598)

How are things like this even possible? Did someone someday decide it would be a good idea to interpret data as code?

Obligatory... (1)

Illogical Spock (1058270) | more than 4 years ago | (#31905674)

FacePALM!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>