Source Boston 2010: Attacking WebOS 1/6

Clip 1/6 Speakers: Chris Clark, iSec Partners & Townsend Ladd Harris WebOS developers work with a large spectrum of web and system languages, including JavaScript, Java, and C++. WebOS is the first mobile platform that primarily uses web languages; however, we believe that they will become more common as platform vendors court the massive web developer community. But, web developers do not understand how the subtleties of how the mobile security model differs from that of the web. For example, WebOS does not enforce the Same Origin Policy (SOP) and some valuable user data is shared. Consequently, minor web application vulnerabilities have a much larger impact on WebOS phones. Almost all WebOS applications run as JavaScript within a WebKit process. However, the same privileges do not apply to all applications. Attackers can use attacks, such as Cross-Site Scripting or buffer overflows, to compromise low-privileged applications and then exploit WebOS unique vulnerabilities classes, such as Card Parameter Injection, to compromise system services and elevate privileges. This presentation will show how to find and exploit these vulnerabilities, a topic which has never been discussed in a public forum. Combined, the presenters published the first WebOS security information and responsibly disclosed over ten WebOS vulnerabilities. Discovering these vulnerabilities required developing innovative security testing techniques. For example, we created a WebOS specific fuzzing agent