Security was a key part of the pitch around Chrome OS when Google started revealing details of the operating system back in 2009. Fast forward to August 2011 – Google Chrome OS is a reality on the market and its security is on the menu at the annual Black Hat security conference in Las Vegas.
In their presentation Aug. 3, Matt Johansen and Kyle Osborn of WhiteHat Security demonstrated how to compromise Chrome by targeting vulnerable Web extensions via cross-site scripting bugs that enable attackers to inject JavaScript into user machines by leveraging the permissions the extensions use.
The presentation put a spotlight on the importance of secure extensions, particular for users of Google Chrome since the mobile operating system is designed to work exclusively with Web applications. Further complicating matters is an apparent lack of vetting of extensions available for Chrome OS – something demonstrated when the duo were able to successfully upload a malicious extension to the Chrome Web store. They took the extension down immediately.
For its part, Google – which the researchers said was quick to fix a vulnerability the duo found in an extension bundled with Chrome called Scratchpad – issued a number of pieces of advice for people writing extensions improve security in the weeks before Black Hat. Among the tidbits: minimize your permissions and avoid including JavaScript in pages using a HTTP URL, with the latter opening the extension up to the possibility of man-in-the-middle attacks. The company also recommends not using the eval() function or innerHTML and document.write().
“It’s important to point out that extensions running in Chrome have actually been designed to limit privileges and to run in isolation by default,” a Google spokesperson told SecurityWeek. “Incognito mode on Chrome OS and Chrome do not allow extensions unless they are explicitly whitelisted by the user.”
The good news is that even if attackers manage to upload a malicious application to the Chrome Web store, they will likely have a hard time tricking large numbers of people into installing it, opined Chester Wisniewski, senior security advisor at Sophos Canada, in a blog post. “The worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session,” he wrote. “Scary.”