Palm Pre snooping fears over ‘unpatched’ vCard flaw

Graham Cluley
Graham Cluley
@[email protected]

Palm Pre
Updated British security researchers are claiming that an unpatched flaw in the Palm Pre operating system could allow malicious hackers to bug calls and spy on users without their knowledge.

According to media reports, penetration experts at MWR InfoSecurity were able to construct a malicious vCard that could be sent to the victim’s Palm Pre via SMS text message, Bluetooth, or by tricking the user into visiting a web link.

MWR InfoSecurity claims that if the Palm Pre owner views the boobytrapped vCard, a backdoor can be opened on the their smartphone, and calls and data can be recorded and transmitted to remote hackers.

The researchers claim that they reported the serious security vulnerability to Palm in May, but that no action has yet been taken to protect users.

Sign up to our free newsletter.
Security news, advice, and tips.


Update MWR’s claims that Palm has taken no action are thrown into some confusion, however, by Palm’s own assertions. Matt Stewart, who works at Palm’s UK PR agency, contacted me to say that “The current version of webOS fixes the security vulnerability reported to Palm.”

He went on to confirm that webOS 1.4.5 resolves the security issue (release notes for the new version of WebOS are available on Palm’s website).

So is the vCard vulnerability really now fixed or not? “No” says MWR, who have published a statement on their website saying Palm’s claims of having patched the vulnerability are inaccurate, and that Pre customers are still exposed.

Of course, most smartphone users wouldn’t be at all surprised to be sent a vCard (the equivalent of an electronic business card), as a it is a common way of sharing contact information. It’s clear that as we put more and more sensitive information on our smartphones, we become more reliant upon the mobile operating system vendors to patch against security holes in a timely fashion.

Incidentally, MWR also claim to have found a flaw in Google Android that allows them to harvest usernames and passwords from the WebKit browser engine – which has been fixed in Android 2.2 Froyo.

PC Pro published an interview with Alex Fidgen, director of MWR Labs, which some may find interesting.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.