Security was a key part of the pitch around Chrome OS when Google started revealing details of the operating system back in 2009. Fast forward to August 2011 – Google Chrome OS is a reality on the market and its security is on the menu at the annual Black Hat security conference in Las Vegas.
In their presentation Aug. 3, Matt Johansen and Kyle Osborn of WhiteHat Security demonstrated how to compromise Chrome by targeting vulnerable Web extensions via cross-site scripting bugs that enable attackers to inject JavaScript into user machines by leveraging the permissions the extensions use.
The presentation put a spotlight on the importance of secure extensions, particular for users of Google Chrome since the mobile operating system is designed to work exclusively with Web applications. Further complicating matters is an apparent lack of vetting of extensions available for Chrome OS – something demonstrated when the duo were able to successfully upload a malicious extension to the Chrome Web store. They took the extension down immediately.
For its part, Google – which the researchers said was quick to fix a vulnerability the duo found in an extension bundled with Chrome called Scratchpad – issued a number of pieces of advice for people writing extensions improve security in the weeks before Black Hat. Among the tidbits: minimize your permissions and avoid including JavaScript in pages using a HTTP URL, with the latter opening the extension up to the possibility of man-in-the-middle attacks. The company also recommends not using the eval() function or innerHTML and document.write().
“It’s important to point out that extensions running in Chrome have actually been designed to limit privileges and to run in isolation by default,” a Google spokesperson told SecurityWeek. “Incognito mode on Chrome OS and Chrome do not allow extensions unless they are explicitly whitelisted by the user.”
The good news is that even if attackers manage to upload a malicious application to the Chrome Web store, they will likely have a hard time tricking large numbers of people into installing it, opined Chester Wisniewski, senior security advisor at Sophos Canada, in a blog post. “The worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session,” he wrote. “Scary.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
