WebOS Exploit Can Be Used to Inject Malicious Code in LinkedIn

A security researcher has released a cross-site scripting proof-of-concept illustrating some flaws in the webOS tablet operating system.

Security researcher Orlando Barrera published a proof-of-concept showing how attackers could inject code into the Contacts application on a webOS 3.0 device, Dark Reading reported July 5. He also demonstrated the cross-site-scripting exploit at an Austin Hackers Association meeting in Texas on June 30.

Barrera and fellow researcher Daniel Herrera had reported their findings back in November that the "company" field in the Contacts app was "unsanitized," letting them inject code that ultimately allowed them to grab the database file with emails, email addresses, contacts and other information off the device. The latest exploit from Barrera was related to the earlier discovery.

"This new flaw is a similar vector," Barrera told Dark Reading.

The lack of input sanitization in some of the fields in the Contacts app renders it vulnerable to malicious code injection and remote code execution, according to the files from the AHA meeting. This means it would exist in both the newly launched HP TouchPad and webOS smartphones.

If there is any malicious HTML or JavaScript code injected into the contact file being imported into the Contacts application, the arbitrary code is executed, according to Barrera’s presentation. "This can be abused by an attacker to perform a cross-site scripting attack on the device," he said, noting that the attacker does not need authentication to exploit this XSS vulnerability.

In the proof-of-concept, Barrera demonstrated how he injected the JavaScript code into the contact information within the professional networking site LinkedIn to execute the malicious JavaScript file. To prove how easy it is to use a cross-site scripting attack on webOS, Barrera tried it out on an HP TouchPad in a local Best Buy, according to a YouTube video he made. He successfully used the exploit on Facebook, LinkedIn and other apps, which are not "sanitized" to correctly handle code in text fields in webOS, he said on the video.

To read the original eWeek article, click here: WebOS Cross-Scripting Exploit Uses Malicious Code Injected in LinkedIn