WebOS Vulnerable To Data-Theft Attack

A researcher has demonstrated the injection of malicious code into a webOS device via LinkedIn

A security researcher has released a cross-site scripting proof-of-concept illustrating some flaws in the webOS tablet operating system.

Security researcher Orlando Barrera published a proof-of-concept showing how attackers could inject code into the Contacts application on a webOS 3.0 device, Dark Reading reported on 5 July. He also demonstrated the cross-site-scripting exploit at an Austin Hackers Association meeting in Texas on 30 June.

Code injection

Barrera and fellow researcher Daniel Herrera had reported their findings back in November that the “company” field in the Contacts app was “unsanitised”, letting them inject code that ultimately allowed them to grab the database file with emails, email addresses, contacts and other information off the device. The latest exploit from Barrera was related to the earlier discovery.

“This [new flaw] is a similar vector,” Barrera told Dark Reading.

The lack of input sanitisation in some of the fields in the Contacts app renders it vulnerable to malicious code injection and remote code execution, according to the files from the AHA meeting. This means it would exist in both the newly launched HP TouchPad and webOS smartphones.

If there is any malicious HTML or JavaScript code injected into the contact file being imported into the Contacts application, the arbitrary code is executed, according to Barrera’s presentation. “This can be abused by an attacker to perform a cross-site scripting attack on the device,” he said, noting that the attacker does not need authentication to exploit this XSS vulnerability.

In the proof-of-concept, Barrera demonstrated how he injected the JavaScript code into the contact information within the professional networking site LinkedIn to execute the malicious JavaScript file. To prove how easy it is to use a cross-site scripting attack on webOS, Barrera tried it out on an HP TouchPad in a local Best Buy, according to a YouTube video he made. He successfully used the exploit on Facebook, LinkedIn and other apps, which are not “sanitised” to correctly handle code in text fields in webOS, he said on the video.

“The only reason it hasn’t been exploited before is market share, but now that HP is trying to get into the PC tablet market, it has a potentially larger market share and becomes more of a target,” Barrera said.

Cross-site request forgeries

WebOS is also vulnerable to cross-site request forgeries, according to Barrera, but he didn’t publicise those exploits because he didn’t want to give clues to malicious attackers on how to attack the platform through methods such as compromising a PDF reader performing a buffer overflow attack.

HP has known about some of the issues raised by Herrera and Barrera since they were raised a few months ago. Barrera told Dark Reading he found the latest issues in webOS 3.0 within 30 minutes of having access to the software development kit. Even though he informed HP via ZDI, the company’s security research arm, the company allegedly denied there was an issue, prompting Barrera to publicise the proof-of-concept and his findings. He said he wanted to give consumers the information to make an informed decision based on the potential risks.

“HP takes webOS security very seriously. We have identified the issue and it will be addressed in the next over-the-air update. In the interim, we suggest users be cautious accepting contact records from unknown sources,” an HP spokesperson told eWEEK.

HP controls the software and can update the platform via over-the-air-updates, giving it an advantage over mobile platforms that depend on carriers to push out the latest software updates.