XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp
Date: 22.04.2010
– Description
Windows Mobile shows message previews if configured to do so. Due to missing input validation the contents of a sms is not properly sanitized and interpreted as it is. This can lead to content injection and xss.
– Example
Send a sms with the following sample contents to a Windows Mobile based device which has message preview enabled:
1. <html><head><meta http-equiv=”refresh” content=”0; URL=http://www.google.de/”></head></html>
2. <script>alert(‘Thats evil’)</script>
3. You know waht you can do with that, find your own…
– Tested on
HTC Touch Pro 2, Windows Mobile 6.5
Other devices from HTC are vulnerable too
– Solution
Disable the “Show Message” Option in the notification settings, or if the device is from HTC install the supplied patch for your device (which does the same).
– Credits
The vulnerability was discovered by Michael Mueller from Integralis
michael#dot#mueller#at#integralis#dot#com
Inspired by the Palm WebOS SMS Hack by intrepidusgroup
– Timeline
22.04.2010 – Vulnerabilities discovered
22.04.2010 – Public release
Leave a Reply
You must be logged in to post a comment.