Security was a key part of the pitch around Chrome OS when Google started revealing details of the operating system back in 2009. Fast forward to August 2011 – Google Chrome OS is a reality on the market and its security is on the menu at the annual Black Hat security conference in Las Vegas.
The presentation put a spotlight on the importance of secure extensions, particular for users of Google Chrome since the mobile operating system is designed to work exclusively with Web applications. Further complicating matters is an apparent lack of vetting of extensions available for Chrome OS – something demonstrated when the duo were able to successfully upload a malicious extension to the Chrome Web store. They took the extension down immediately.
“It’s important to point out that extensions running in Chrome have actually been designed to limit privileges and to run in isolation by default,” a Google spokesperson told SecurityWeek. “Incognito mode on Chrome OS and Chrome do not allow extensions unless they are explicitly whitelisted by the user.”
The good news is that even if attackers manage to upload a malicious application to the Chrome Web store, they will likely have a hard time tricking large numbers of people into installing it, opined Chester Wisniewski, senior security advisor at Sophos Canada, in a blog post. “The worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session,” he wrote. “Scary.”