Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Handspring Visor Network HotSync Security Hole

From: thalakan () TECHNOLOGIST COM (Jason Spence)
Date: Thu, 6 Jan 2000 22:42:43 -0800

Jay C Austad wrote:


If you have Network HotSync (provided on the CD that comes with your Visor) enabled on your machine, and a malicious 
user knows your name (ex. John Smith), and the ip of your machine (ex. 192.168.22.22, or jsmith.company.com), he can 
change the name on his Visor to yours, do a Network hotsync with your ip, and download all of your email, send email 
as you, and perform any function that you can.

There is no password or authentication of any kind.  If I wanted to read my co-workers email, or send a nasty message 
from him to his boss, all I would need to do is put his name into my visor (Jim Beam), and do a network sync to 
jbeam.company.com.

I have contacted Handspring about this and have heard nothing back.


Unrelated to this, I've noticed that port scanning a Palm IIIe connected to
my network results in the Palm hanging and shutting down.  Some people use
the Palm as a web browsing platform while their workstation does other
things; my Palm recently got portscanned while I was doing that, which
prompted me to see if the behavior was repeatable (it was).  Ping flooding
the Palm makes it act funny, too.

 - Jason
Previous By Date Next
Previous By Thread Next

Current thread: