Google’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too.
In their talk, Web security researchers Matt Johansen and Kyle Osborn, both of Whitehat Security, said that a thorough audit of Google’s Chrome OS turned up numerous security issues, most of which are not specific to Chrome, but which could still be used to push malicious programs to devices running Chrome, hijack Google- or other online accounts of Chrome users and steal sensitive information.
The researchers spoke Wednesday in a BlackHat session dubbed “Hacking Google Chrome OS,” which presented the results of a WhiteHat audit that was authorized by Google, itself. The two gave the Web based OS high marks on many traditional measures of security, noting that Chrome OS eliminates many traditional targets of malware and attacks: Chrome OS devices don’t use internal hard drives, eliminating the possibility of persistent malware infections and data theft.
“We’re not looking for the ‘usual suspects’ like buffer overflows or vulnerabilities in (Adobe) Flash or (Microsoft) Office,” Johansen told the audience.
Instead, the researchers said they focused their attention on some of the core APIs (application program interfaces) that undergird Chrome, and on extensions to Chrome that might allow attackers to push malicious content before a user, capture information from them or access sensitive databases and other data stores.
Among other things, the two researchers found that a notepad application, Scratchpad, that comes bundled with the ChromeOS on Chromebooks contained a cross site scripting vulnerability that could have allowed one Chrome user to hijack another user’s Google account, make off with their Google contacts and other data by way of a shared Scratchpad and some simple Javascript. Google has since closed that security hole, the researchers said.
In analyzing key Chrome APIs, the two found that those interfaces permitted behavior that, while not unique to Chrome, could make stealthy attacks against Chrome OS environments child’s play. APIs like chrome.windows and chrome.tabs allow new browser windows to be opened and scripts run automatically upon accessing a specific Web site – a feature that could be used, for example, to craft attacks against banking or e-commerce Web sites.
Chrome extensions, if not properly written, could contain cross site scripting holes that could then be leveraged by an attacker against any Web site. Google’s policy of abstaining from reviews of extensions that are uploaded to the company’s Web store also pose a problem by allowing clearly malicious extensions to be posted without any review or sanity checking.
During the demonstration, the two showed off a custom extension they developed that collected a number of malicious features, including one that could allow an attacker to launch an internal port scan from Web browser with some simple HTML and Java coding. Osborn said he was able to upload the malicious extension to Google’s Web store, from which other users could download it.
Google hasn’t contested the researchers’ findings, but says the attacks they demonstrated aren’t unique to its operating system, but are typical of Web based attacks that affect all operating systems. “We think that the characterization that this is a new attack surface created with Chrome OS seems inconsistent,” a company spokesman told Threatpost.
According to the Whitehat researchers, Google is weighing responses to the security issues they raised, including the introduction of application specific APIs that would allow the company to more tightly control access permissions extensions and limit access to other data stored on Google. A Google spokesman declined to comment on that. For now, the company said it wants to work with developers to avoid cross site scripting.
“Extensions are powerful software, and there are a number of things that come into play with that, but this isn’t about the Chrome OS, its about the Web and those extensions,” the spokesman said.