WebOS Exploit Can Be Used to Inject Malicious Code in LinkedIn
A security researcher has released a cross-site scripting proof-of-concept illustrating some flaws in the webOS tablet operating system.
Security researcher Orlando Barrera published a proof-of-concept showing how attackers could inject code into the Contacts application on a webOS 3.0 device, Dark Reading reported July 5. He also demonstrated the cross-site-scripting exploit at an Austin Hackers Association meeting in Texas on June 30.
Barrera and fellow researcher Daniel Herrera had reported their findings back in November that the "company" field in the Contacts app was "unsanitized," letting them inject code that ultimately allowed them to grab the database file with emails, email addresses, contacts and other information off the device. The latest exploit from Barrera was related to the earlier discovery.
"This new flaw is a similar vector," Barrera told Dark Reading.
The lack of input sanitization in some of the fields in the Contacts app renders it vulnerable to malicious code injection and remote code execution, according to the files from the AHA meeting. This means it would exist in both the newly launched HP TouchPad and webOS smartphones.