Matt Johansen and Kyle Osborn presented their paper at Black Hat this morning titled “Hacking Google ChromeOS”.
Google’s netbook operating system has been touted as the first platform that has been designed to be malware free from the start. Users are not able to download/install/execute code on a ChromeBook, they are only allowed to download Chrome extensions.
Johansen and Osborn didn’t bother to try and prove Google wrong, they simply looked into the implications of having everything “running” as an extension in the browser.
Their research impacts all users of Google Chrome, whether they happen to be using it as an OS or simply as their browser of choice.
They discovered two things… One is that if you are running JavaScript code on the device, your code could be vulnerable to a XSS (cross site scripting) attack.
When a website has a XSS vulnerability, it allows people to attack that specific site, but it does not effect others. What happens when you have a XSS vulnerability in an application in your browser?
Well, considering the API that Chrome provides for extension development, it allows an attacker to exploit any web site operating within that browser (including all other tabs).
They did point out that Google has been very responsive and has been working with them on solutions to mitigate the risks.
While it is easy to write a malicious application and upload it to the Chrome Web Store, you would have a difficult time getting a large number of people to install it.
The worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session. Scary.
Many extensions available on the Chrome Web Store were not exactly designed with security in mind, which not only makes them potentially vulnerable, but also means they ask for more permissions than they may need to work properly.
If you’re a Chrome user, or have a ChromeBook you may wish to think twice before installing those random plugins and keep your eyes open for developments on how Google will work to better protect you.