Black Hatters probe Chrome OS vulnerabilities

Two security researchers have presented a paper at the Black Hat conference describing potential security vulnerabilities associated with Google’s Chrome operating system. 

As you may recall, Chrome OS was touted as the first platform designed to be totally malware free from the very start. Therefore, users cannot actually install or execute code on a ChromeBook, but rather, are limited to downloading Chrome extensions.

But when researchers Matt Johansen and Kyle Osborn examined the implications of having everything “running” as an extension in the browser, they discovered JavaScript code could be vulnerable to an XSS (cross site scripting) attack.

As Sophos Security researcher Chester Wisniewski points out, a website with an XSS vulnerability allows cyber criminals to attack a specific site, but does not affect others.

But what happens if the XSS vulnerability resides in an app on your browser?

“Well, considering the API that Chrome provides for extension development, it allows an attacker to exploit any web site operating within that browser – including all other tabs,” said Wisniewski.

“[Still], while it is easy to write a malicious application and upload it to the Chrome Web Store, you would have a difficult time getting a large number of people to install it.”

According to Wisniewski, concern remains over the fact that any existing popular extensions containing vulnerabilities could allow for an attacker to arbitrarily hijack everything occurring in a browser session.  

In addition, the above-mentioned research impacts all Google Chrome users – whether they are running Google’s platform as an OS or browser.

“Many extensions available on the Chrome Web Store were not exactly designed with security in mind, which not only makes them potentially vulnerable, but also means they ask for more permissions than they may need to work properly.

“So if you’re a Chrome user, or have a ChromeBook you may wish to think twice before installing those random plugins and keep your eyes open for developments on how Google will work to better protect you,” recommended Wisniewski.