XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp
Date: 22.04.2010
Description
Windows Mobile shows message previews if configured to do so. Due to missing input validation the contents of a sms is not properly sanitized and interpreted as it
is. This can lead to content injection and xss.
Example
Send a sms with the following sample contents to a Windows Mobile based device which has message preview enabled:
Tested on
HTC Touch Pro 2, Windows Mobile 6.5
Other devices from HTC are vulnerable too
Solution
Disable the "Show Message" Option in the notification settings, or if the device is from HTC install the supplied patch for your device (which does the same).
Credits
The vulnerability was discovered by Michael Mueller from Integralis
michael#dot#mueller#at#integralis#dot#com
Inspired by the Palm WebOS SMS Hack by intrepidusgroup