(click image for larger view)
Slideshow: Google Chrome OSPromises Computing Without Pain
Vulnerabilities in Google Chrome OS extensions could give malicious hackers an easy point of attack to steal users' passwords, contacts, email, and more, according to two researchers speaking at Black Hat, a UBM TechWeb event, in Las Vegas on Wednesday.
While Google has extoled the security of its new mobile operating system, the system is only as secure as the apps that run on it, according to White Hat team lead Matt Johansen and application security specialist Kyle Osborn. "This is a juicy new attack surface," Johansen said. "There's none of the usual suspects you'd find on the desktop. We're not interested in your hard drive when we can get whatever you have in the cloud."
The primary problem, Johansen and Osborn said, is that many extensions allow wide-open permissions, and often more access than they need, such as the ability to access any website whatsoever. Some apps, such as RSS readers, mail notifiers, and note takers, often require broad access.
Apple vets applications that wind up on its AppStore, but Google does not do the same for extensions made available for Chrome OS. That means that a malicious actor could upload an innocuous-sounding extension to the Chrome Web Store and then hack those who download it. In fact, to prove the point, Osborn said he successfully briefly uploaded an extension called "Malicious Extension" to the Web store (though he immediately took it down thereafter).
However, in addition to malicious apps, there may be vulnerabilities even in common apps. Johnasen and Osborn discovered, for example, that Google's ScratchPad note-taking app allowed them to use a cross-site scripting injection to grab users' contacts, as well as their cookies, which could in turn provide a hacker with access to, for example, a user's Gmail or call history. While Google quickly closed this vulnerability after its discovery, Johansen noted that the two have found vulnerabilities in numerous other apps that could allow similar permissions.
GTEC brings together leading public and private sector experts to collaborate on serving Canadian citizens better through innovation and technology. It happens in Ottawa, Oct. 17-20. Find out more.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.