OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Handspring Visor Network HotSync Security

Re: Handspring Visor Network HotSync Security Hole

Subject: Re: Handspring Visor Network HotSync Security Hole
From: Jason Spence (thalakanTECHNOLOGIST.COM)
Date: Fri Jan 07 2000 - 00:42:43 CST

Jay C Austad wrote:
>
> If you have Network HotSync (provided on the CD that comes with your Visor) enabled on your machine, and a malicious user knows your name (ex. John Smith), and the ip of your machine (ex. 192.168.22.22, or jsmith.company.com), he can change the name on his Visor to yours, do a Network hotsync with your ip, and download all of your email, send email as you, and perform any function that you can.
>
> There is no password or authentication of any kind. If I wanted to read my co-workers email, or send a nasty message from him to his boss, all I would need to do is put his name into my visor (Jim Beam), and do a network sync to jbeam.company.com.
>
> I have contacted Handspring about this and have heard nothing back.

Unrelated to this, I've noticed that port scanning a Palm IIIe connected to
my network results in the Palm hanging and shutting down. Some people use
the Palm as a web browsing platform while their workstation does other
things; my Palm recently got portscanned while I was doing that, which
prompted me to see if the behavior was repeatable (it was). Ping flooding
the Palm makes it act funny, too.

 - Jason

This archive was generated by hypermail 2b27 : Fri Jan 07 2000 - 15:22:38 CST