Goodbye Palm: webOS Security Flaw Dooms Acquisition Hopes

Last Updated Apr 16, 2010 7:45 PM EDT

Sometimes you have to feel sorry for a company like Palm (PALM) -- so badly managed that its only remaining hope for survival lies in an acquisition. But outside a pure play for patents that might prove useful in a legal battle with Apple (AAPL) or maybe Nokia (NOK), acquisition means having something of value to acquire. The one clear asset Palm has is its webOS smartphone operating system. Then again, maybe not.

A group of security experts now say webOS is so riddled with inherent security weaknesses Palm should have known of that it may be too dangerous for many corporations and consumers to even consider using. That would quash the idea of companies like HTC or Lenovo acquiring Palm to use the operating system on their own hardware.

The webOS operating system is based on an HTML 5 browser, with applications written in JavaScript and HTML. But those technologies have well-known security problems:

As we started to pry a little it became quite apparent that Palm's new WebOS platform was riddled with some pretty dangerous bugs. These bugs can all be traced back to that fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML. This also means that WebOS applications are subject to the numerous web applications vulnerabilities that any seasoned penetration tester would be all too familiar with. We were also quite surprised at how quickly these vulnerabilities were discovered. Within a matter of hours we started to uncover a number of low-hanging-fruit vulnerabilities that would be considered quite dangerous under even the most forgiving of standards.
The researchers found these "after a few hours of poking around," and the flaws included the ability to crack the system by sending a phone an SMS message. Here's a video showing some vulnerabilities:

Although Palm has reportedly patched these vulnerabilities and has the ability to push changes though to user systems, the software still showed that "Palm put almost no thought into security during their development of WebOS." Who the devil would want to acquire a company whose development was apparently so hastily done that it ignored even security issues that were already well-known? It would be like buying a fixer-upper property, knowing that you had a lot of repair and major construction ahead of you. And given the flaws, what third party software vendors now will want to develop applications for the platform? It sounds like another knell for Palm: assets to asses, dumb to dump.

[Update: According to Palm SEC filings, as reported by Kara Swisher at the Wall Street Journal's All Things Digital, senior vice president of software and services Michael Abbott tended his resignation on April 12, effective April 23. Palm is giving two-year retention packages to a number of other executives and she saw Abbott's departure as part of a potential "brain drain." I wonder if Abbott is out the door not as an escape, but effectively being kicked out because of the security problems. Intrepidus had undertaken a year-long study, and I find it hard to believe that the company didn't contact Palm before it publicly released the information. However, if the flaws were the result of a rushed schedule, why send Abbott packing? CEO Jon Rubinstein comes from an engineering management background and should have known better while he was pushing to get webOS out the door. It's just one more reason why he, too, should pack his bags.]

Target image: user hisks, site standard license.

  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.