“The webOS SMS client wasn’t performing input/output validation on any SMS messages sent to the handset,” the security company said. “This leads to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a webOS application, the attacks made possible were quite dangerous (especially considering they could be delivered over a SMS message).”
The “good” news is that this vulnerability is only applicable for webOS 1.3.5, and many U.S. users should already be on 1.4. Still, the mobile security firm was very harsh on Palm:
We understand, of course, that there are a number of competing interests that go into the development of a new mobile platform … However, we feel that Palm put almost no thought into security during their development of webOS. All of the low hanging fruit discovered should have been identified in the most basic of threat models, which should have been performed during the very early development stages of webOS, way before any code was written.
Wow. I’m not a security nut by any measures but a widespread attack on mobile phones could set this industry back a long time, so you need to get your game together Palm! At least if the company gets acquired, it will have more resources to focus on security. Check out the video below to see how easy it is to crack webOS.