(click image for larger view)
Slideshow: Google Chrome OSPromises Computing Without Pain
Vulnerabilities in Google Chrome OS extensions could give malicious hackers an easy point of attack to steal users' passwords, contacts, email, and more, according to two researchers speaking at Black Hat, a UBM TechWeb event, in Las Vegas on Wednesday.
While Google has extoled the security of its new mobile operating system, the system is only as secure as the apps that run on it, according to White Hat team lead Matt Johansen and application security specialist Kyle Osborn. "This is a juicy new attack surface," Johansen said. "There's none of the usual suspects you'd find on the desktop. We're not interested in your hard drive when we can get whatever you have in the cloud."
The primary problem, Johansen and Osborn said, is that many extensions allow wide-open permissions, and often more access than they need, such as the ability to access any website whatsoever. Some apps, such as RSS readers, mail notifiers, and note takers, often require broad access.
Apple vets applications that wind up on its AppStore, but Google does not do the same for extensions made available for Chrome OS. That means that a malicious actor could upload an innocuous-sounding extension to the Chrome Web Store and then hack those who download it. In fact, to prove the point, Osborn said he successfully briefly uploaded an extension called "Malicious Extension" to the Web store (though he immediately took it down thereafter).
However, in addition to malicious apps, there may be vulnerabilities even in common apps. Johnasen and Osborn discovered, for example, that Google's ScratchPad note-taking app allowed them to use a cross-site scripting injection to grab users' contacts, as well as their cookies, which could in turn provide a hacker with access to, for example, a user's Gmail or call history. While Google quickly closed this vulnerability after its discovery, Johansen noted that the two have found vulnerabilities in numerous other apps that could allow similar permissions.
GTEC brings together leading public and private sector experts to collaborate on serving Canadian citizens better through innovation and technology. It happens in Ottawa, Oct. 17-20. Find out more.
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.