And how the fuck do you guys send sms through damn fkin terminal...thats only supposed to be available for gsm devices. Unless you guys connect it through a network but then again thats a different story

@diablokev87 *blink blink* Such amazing logic on display around here.

You guys should do some testing on the command line. I noticed every terminal app automatically logs in as root rather than having you sudo from a privileged user. This means the GUI is running on root which is a stupid thing to do. The only user before installing optware is root which means root handles every phone task which means if they get into the terminal the whole phone is automatically compromised specially since the CLI has so much power in this phone.

So much hate people still use 1.3.5. A video like this lets PALM know that people are actively hacking a device meant for secure business. A vulnerability so simple is just unacceptable and this needs to be fixed asap. They did not claim that they would hack every pre just opening PALM's eyes. This video might have helped your phone have 6 less vulnerabilities and for that I thank you. If security is never tested no need to correct mistakes and when someone does test it makes it so much worse.

@nullr1 Who is still using 1.3.5? webOS forces updates after 7 days. 1.4 came out on February 26th. Find me a person who has 1.3.5 that didn't specifically hack their phone to keep it.

@andrewhime

That was my point. People disable updates. Right now there really is no reason to be on 1.3.5 as mobile hotspot and video recording are are 1.4.1.1 but just because the majority does not have it does not mean everyone. Would you rather have them make a video and inform Palm and get this fixed or sell the exploits to someone who can possibly use it on you? Im not saying the exploits are of much use anymore im just saying they are a necessary part of testing security.

@nullr1 People who disable updates open themselves up to this vulnerability by choice. It takes a lot of work to do and serves little purpose, as 1.4 was the Holy Grail of webOS. So I'd say there's maybe 10 people out there tops still on 1.3.5.

You calls these hacks? Pathetic. No one is using 1.3.5 either.

You guys are idiots, try finding vulnerabilities on the CURRENT version of the phone's OS. This demonstration is about as useful as a hack on an unpatched version of Windows XP.

@junkTzu

This what your phone was vulnerable too not that long ago. There are many more that they did not show. I like webos because it has great cli you can literally launch any app from the command line. You can even call or send a text message. Look at how much control you have.

webos-internals(dot)org/wiki/L­una_Send

The problem is that security should come up specially from executing code from sms or email. Video shows that security needs to be ramped up and its working.

You guys are idiots, this is about as useful as showing that an unpatched version of Windows XP is vulnerable.

Craigslist? Youtube? For all of your self-stated intelligence, you guys appear to be a bunch of ignorant punks. I couldn't care less if Palm stays or goes, but self-adulating people with a grudge--you people--need to get the insecurities worked out of your own lives.

Thanks for the comments. Some of them have been quite entertaining. We weren't expecting everybody to "get it" but glad some did. It's funny to get grief about releasing something that is "known" -- how do you people think it became known in the first place? So next time, (just to be clear) you think we should release the video and let the vendor find it on their own? That's a dick move, and it's not how our general liability policy works. Thank you come again!

i have a palm pre and luky its fine . thanks for showing this ans WTF IS UP WITH YOU USING A SAUSAGE INSTEAD OF A FINGER TO TOUCH YOUR PHONE

@nanosman1994 - You would have to share a few beers with us to understand.. we have a horrible sense of humor. You put some geeks in a room, with some beer, and a capacitive screen that responds to the body's electrostatic field.. and naturally you say "I wonder how conductive this sausage is. (ok.. i guess you would have had to have been there)

@intrepidusgroup haha ok i got it

this guy should remove the iPhone rammed up his ass and redo this video again with the CURRENT webOS version, you know, the one without all of these "bugs"

So you're trying to get somewhere on the basis of bugs that have already been fixed on a version of webOS that's no longer available? *blink blink*

@andrewhime I think you should read their full writeup:

intrepidusgroup(dot)com/insigh­t/2010/04/webos-examples-of-sm­s-delivered-injection-flaws

The guy sounds like such a smug jerk. Palm fixed the issues, get over it.

@danib62 It sounds more like Palm fixed one attack vector and left the underlying design flaw, that relatively easy to accomplish HTML injection leads to effective code execution, unfixed.

There are likely many more vectors, both 1st and 3rd party, that are remaining to be found due to insecure APIs and probably even code samples provided by Palm.

@dguido yes. ^^ this !!^^.. thank you sir! -- Unless someone takes a hard look at this, we just won't know about all the other vectors and other clever character encodings that might stick past the validation routines. We ran out of time on this so we found a scouter on craigslist and had him give us his professional opinion about how many other vulns may exist... he came back and said over 9000. I'd like to see someone try to argue with that!