[30689] in bugtraq
Re: PalmOS Memo Record Hiding Vulnerability.
daemon@ATHENA.MIT.EDU (Goetz Bock)
Thu Jul 10 13:32:55 2003
Date: Thu, 10 Jul 2003 00:11:23 +0200
From: Goetz Bock <bock@blacknet.de>
To: bugtraq@securityfocus.com
Message-ID: <20030710001123.V18605@zealot.blacknet.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030709181000.71210.qmail@web21506.mail.yahoo.com>; from shaunige@yahoo.co.uk on Wed, Jul 09, 2003 at 07:10:00PM +0100
> -[BACKGROUND]-:
>
> PalmOS includes a pre-installed 'Security'
> Application, which allows a Palm enabled device to add
> weak security, to hide data and protect the PDA from
> casual snoopers. One particular feature is the
> ability to "Hide" Memos set as "Private" in the
> Security section of MemoPad, and set a password so
> that "Private" memos can only be read by those
> possessing the Password.
this "bug" is known since the very beginning of PalmOS v1.x. IIRC the
SDK even mentioned that it is the task of the author of any Palm OS
software to check and honor the "private"/"hidden" flag on it's own.
While it's sad that Palm Inc did not fix this, I'm actually surprised
that this fact is new to anyone who spend any time checking the security
of PalmOS.
BTW: it's trivialy possible to remove the password and even retrive it
in clear text with a small 3rd part application.
Search the mailing list on ultraviolette.org (iirc, and if it still
exists) for the program to get your password. It was posted there
years ago.
--
Goetz Bock (c) 2003 as blacknet.de - Munich - Germany /"\
IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ /
X
ASCII Ribbon Campaign against HTML email & microsoft attachments / \
