James Delahunty
3 Aug 2011 23:59
Chrome OS extensions singled out for analysis.
Google touts the additional security that is offered by Chromebooks. On the level of hardware and the operating system itself, the security aspect cannot be denied. It has no native applications except for a browser and it had built in systems to protect the system from boot.
However, Chromebooks are vulnerable to many of the same threats that affect web users every day already. WhiteHat Security researcher Matt Johansen calls attention to Chrome OS' reliance on extensions, Often times, extensions contain cross-site scripting (XSS) bugs that can be exploited by hackers.
Of particular interest is how a bug in one extension could result in the hijacking of communications of a different, secure, extension. As a demonstration at the Black Hat conference, Johansen and colleagues exploited an XSS bug in an extension to steal passwords from an otherwise secure account on LastPass, a cloud password storage service.
"If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication," Johansen said. "LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications."
This reality raises questions about who is liable to fix these problems. Google doesn't believe this is a problem with its operating system however.
"This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels," A Google spokeswoman told The Register.
"They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."