BH 2011: Hacking Google ChromeOS

Filed Under: Featured, Google, Malware, Privacy, Vulnerability

Chrome web storeMatt Johansen and Kyle Osborn presented their paper at Black Hat this morning titled "Hacking Google ChromeOS".

Google's netbook operating system has been touted as the first platform that has been designed to be malware free from the start. Users are not able to download/install/execute code on a ChromeBook, they are only allowed to download Chrome extensions.

Johansen and Osborn didn't bother to try and prove Google wrong, they simply looked into the implications of having everything "running" as an extension in the browser.

Their research impacts all users of Google Chrome, whether they happen to be using it as an OS or simply as their browser of choice.

They discovered two things... One is that if you are running JavaScript code on the device, your code could be vulnerable to a XSS (cross site scripting) attack.

When a website has a XSS vulnerability, it allows people to attack that specific site, but it does not effect others. What happens when you have a XSS vulnerability in an application in your browser?

Well, considering the API that Chrome provides for extension development, it allows an attacker to exploit any web site operating within that browser (including all other tabs).

They did point out that Google has been very responsive and has been working with them on solutions to mitigate the risks.

While it is easy to write a malicious application and upload it to the Chrome Web Store, you would have a difficult time getting a large number of people to install it.

Samsung ChromeBookThe worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session. Scary.

Many extensions available on the Chrome Web Store were not exactly designed with security in mind, which not only makes them potentially vulnerable, but also means they ask for more permissions than they may need to work properly.

If you're a Chrome user, or have a ChromeBook you may wish to think twice before installing those random plugins and keep your eyes open for developments on how Google will work to better protect you.

, , , ,

You might like

One Response to BH 2011: Hacking Google ChromeOS

  1. Kevin · 1155 days ago

    Well, if a Firefox extension has an XSS vulnerability, your whole computer is compromised.
    But at least Mozilla checks addons uploaded to its website...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.