Security firm SecTheory researchers Orlando Barrera and Daniel Herrera discovered three major holes – a floating-point overflow issue, a denial of service bug and the cross-site scripting flaw. Meanwhile, HP has worked on at least one of the holes, in the “Contacts” app, and will reportedly have it fixed as of webOS 2.0 beta. However, it seems that the others will remain unaddressed.
Barrera exemplified the findings and explained how XML HTTP Requests, a possible web communication channel, could be used to access the local file system. This means that user data could be extracted from the local database, which could include anything ranging from contact information to passwords and unencrypted messages like emails and SMS. We have seen previous concerns about webOS's security as the SMS client was found to be vulnerable to attacks as well.
source: eWeek via Engadget