Black Hat: Google’s Chrome OS Could Enable Nasty Web Based Attacks

Author: Paul Roberts
minute read

HED: Three Ways that Google’s Chrome OS Could Enable Really Nasty Web Based AttacksDEK: Researchers at the Black Hat Briefings conference in Las Vegas warn that Google’s new Chrome Operating System could enable certain kinds of Web based attacksGoogle’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too. In their talk, Web security researchers Matt Johansen and Kyle Osborn, both of Whitehat Security, said that a thorough audit of Google’s Chrome OS turned up numerous security issues, most of which are not specific to Chrome, but which could still be used to push malicious programs to devices running Chrome, hijack Google- or other online accounts of Chrome users and steal sensitive information. The researchers spoke Wednesday in a BlackHat session dubbed “Hacking Google Chrome OS,” which presented the results of a WhiteHat audit that was authorized by Google, itself. The two gave the Web based OS high marks on many traditional measures of security, noting that Chrome OS eliminates many traditional targets of malware and attacks: Chrome OS devices don’t use internal hard drives, eliminating the possibility of persistent malware infections and data theft. “We’re not looking for the ‘usual suspects’ like buffer overflows or vulnerabilities in (Adobe) Flash or (Microsoft) Office,” Johansen told the audience. Instead, the researchers said they focused their attention on some of the core APIs (application program interfaces) that undergird Chrome, and on extensions to Chrome that might allow attackers to push malicious content before a user, capture information from them or access sensitive databases and other data stores. Among other things, the two researchers found that a notepad application, Scratchpad, that comes bundled with the ChromeOS on Chromebooks contained a cross site scripting vulnerability that could have allowed one Chrome user to hijack another user’s Google account, make off with their Google contacts and other data by way of a shared Scratchpad and some simple Javascript. Google has since closed that security hole, the researchers said. In analyzing key Chrome APIs, the two found that those interfaces permitted behavior that, while not unique to Chrome, could make stealthy attacks against Chrome OS environements child’s play. APIs like chrome.windows and chrome.tabs allow new browser windows to be opened and scripts run automatically upon accessing a specific Web site – a feature that could be used, for example, to craft attacks against banking or e-commerce Web sites.Chrome extensions, if not properly written, could contain cross site scripting holes that could then be leveraged by an attacker against any Web site. Google’s policy of abstaining from reviews of extensions that are uploaded to the company’s Web store also pose a problem by allowing clearly malicious extensions to be posted without any review or sanity checking. During the demonstration, the two showed off a custom extension they developed that collected a number of malicious features, including one that could allow an attacker to launch an internal port scan from Web browser with some simple HTML and Java coding. Osborn said he was able to upload the malicious extension to Google’s Web store, from which other users could download it. Google hasn’t contested the researchers’ findings, but says the attacks they demonstrated aren’t unique to its operating system, but are typical of Web based attacks that affect all operating systems. “We think that the characterization that this is a new attack surface created with Chrome OS seems inconsistent,” a company spokesman told Threatpost. According to the Whitehat researchers, Google is weighing responses to the security issues they raised, including the introduction of application specific APIs that would allow the company to more tightly control access permissions extensions and limit access to other data stored on Google. A Google spokesman declined to comment on that. For now, the company said it wants to work with developers to avoid cross site scripting. “Extensions are powerful software, and there are a number of things that come into play with that, but this isn’t about the Chrome OS, its about the Web and those extensions,” the spokesman said. Researchers at the Black Hat Briefings conference in Las Vegas warn that Google’s new Chrome Operating System could enable certain kinds of Web based attacksGoogle’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too.

HED: Three Ways that Google’s Chrome OS Could Enable Really Nasty Web Based Attacks
DEK: Researchers at the Black Hat Briefings conference in Las Vegas warn that Google’s new Chrome Operating System could enable certain kinds of Web based attacks
Google’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too. 
In their talk, Web security researchers Matt Johansen and Kyle Osborn, both of Whitehat Security, said that a thorough audit of Google’s Chrome OS turned up numerous security issues, most of which are not specific to Chrome, but which could still be used to push malicious programs to devices running Chrome, hijack Google- or other online accounts of Chrome users and steal sensitive information. 
The researchers spoke Wednesday in a BlackHat session dubbed “Hacking Google Chrome OS,” which presented the results of a WhiteHat audit that was authorized by Google, itself. The two gave the Web based OS high marks on many traditional measures of security, noting that Chrome OS eliminates many traditional targets of malware and attacks: Chrome OS devices don’t use internal hard drives, eliminating the possibility of persistent malware infections and data theft. 
“We’re not looking for the ‘usual suspects’ like buffer overflows or vulnerabilities in (Adobe) Flash or (Microsoft) Office,” Johansen told the audience. 
Instead, the researchers said they focused their attention on some of the core APIs (application program interfaces) that undergird Chrome, and on extensions to Chrome that might allow attackers to push malicious content before a user, capture information from them or access sensitive databases and other data stores. 
Among other things, the two researchers found that a notepad application, Scratchpad, that comes bundled with the ChromeOS on Chromebooks contained a cross site scripting vulnerability that could have allowed one Chrome user to hijack another user’s Google account, make off with their Google contacts and other data by way of a shared Scratchpad and some simple Javascript. Google has since closed that security hole, the researchers said. 
In analyzing key Chrome APIs, the two found that those interfaces permitted behavior that, while not unique to Chrome, could make stealthy attacks against Chrome OS environements child’s play. APIs like chrome.windows and chrome.tabs allow new browser windows to be opened and scripts run automatically upon accessing a specific Web site – a feature that could be used, for example, to craft attacks against banking or e-commerce Web sites.
Chrome extensions, if not properly written, could contain cross site scripting holes that could then be leveraged by an attacker against any Web site. Google’s policy of abstaining from reviews of extensions that are uploaded to the company’s Web store also pose a problem by allowing clearly malicious extensions to be posted without any review or sanity checking. 
During the demonstration, the two showed off a custom extension they developed that collected a number of malicious features, including one that could allow an attacker to launch an internal port scan from Web browser with some simple HTML and Java coding. Osborn said he was able to upload the malicious extension to Google’s Web store, from which other users could download it. 
Google hasn’t contested the researchers’ findings, but says the attacks they demonstrated aren’t unique to its operating system, but are typical of Web based attacks that affect all operating systems. “We think that the characterization that this is a new attack surface created with Chrome OS seems inconsistent,” a company spokesman told Threatpost. 
According to the Whitehat researchers, Google is weighing responses to the security issues they raised, including the introduction of application specific APIs that would allow the company to more tightly control access permissions extensions and limit access to other data stored on Google. A Google spokesman declined to comment on that. For now, the company said it wants to work with developers to avoid cross site scripting. 
“Extensions are powerful software, and there are a number of things that come into play with that, but this isn’t about the Chrome OS, its about the Web and those extensions,” the spokesman said. Researchers at the Black Hat Briefings conference in Las Vegas warn that Google’s new Chrome Operating System could enable certain kinds of Web based attacks

Chrome OSGoogle’s new Chrome Operating System was designed to fix the nagging security problems that have plagued platforms like Microsoft Windows. But new research unveiled at the Black Hat Briefings in Las Vegas suggests that the new cloud-centric OS, while far more secure, may also introduce some troubling security issues, too.

In their talk, Web security researchers Matt Johansen and Kyle Osborn, both of Whitehat Security, said that a thorough audit of Google’s Chrome OS turned up numerous security issues, most of which are not specific to Chrome, but which could still be used to push malicious programs to devices running Chrome, hijack Google- or other online accounts of Chrome users and steal sensitive information.

The researchers spoke Wednesday in a BlackHat session dubbed “Hacking Google Chrome OS,” which presented the results of a WhiteHat audit that was authorized by Google, itself. The two gave the Web based OS high marks on many traditional measures of security, noting that Chrome OS eliminates many traditional targets of malware and attacks: Chrome OS devices don’t use internal hard drives, eliminating the possibility of persistent malware infections and data theft. 

“We’re not looking for the ‘usual suspects’ like buffer overflows or vulnerabilities in (Adobe) Flash or (Microsoft) Office,” Johansen told the audience. 

Instead, the researchers said they focused their attention on some of the core APIs (application program interfaces) that undergird Chrome, and on extensions to Chrome that might allow attackers to push malicious content before a user, capture information from them or access sensitive databases and other data stores. 

Among other things, the two researchers found that a notepad application, Scratchpad, that comes bundled with the ChromeOS on Chromebooks contained a cross site scripting vulnerability that could have allowed one Chrome user to hijack another user’s Google account, make off with their Google contacts and other data by way of a shared Scratchpad and some simple Javascript. Google has since closed that security hole, the researchers said. 

In analyzing key Chrome APIs, the two found that those interfaces permitted behavior that, while not unique to Chrome, could make stealthy attacks against Chrome OS environments child’s play. APIs like chrome.windows and chrome.tabs allow new browser windows to be opened and scripts run automatically upon accessing a specific Web site – a feature that could be used, for example, to craft attacks against banking or e-commerce Web sites.

Chrome extensions, if not properly written, could contain cross site scripting holes that could then be leveraged by an attacker against any Web site. Google’s policy of abstaining from reviews of extensions that are uploaded to the company’s Web store also pose a problem by allowing clearly malicious extensions to be posted without any review or sanity checking. 

During the demonstration, the two showed off a custom extension they developed that collected a number of malicious features, including one that could allow an attacker to launch an internal port scan from Web browser with some simple HTML and Java coding. Osborn said he was able to upload the malicious extension to Google’s Web store, from which other users could download it. 

Google hasn’t contested the researchers’ findings, but says the attacks they demonstrated aren’t unique to its operating system, but are typical of Web based attacks that affect all operating systems. “We think that the characterization that this is a new attack surface created with Chrome OS seems inconsistent,” a company spokesman told Threatpost. 

According to the Whitehat researchers, Google is weighing responses to the security issues they raised, including the introduction of application specific APIs that would allow the company to more tightly control access permissions extensions and limit access to other data stored on Google. A Google spokesman declined to comment on that. For now, the company said it wants to work with developers to avoid cross site scripting. 

“Extensions are powerful software, and there are a number of things that come into play with that, but this isn’t about the Chrome OS, its about the Web and those extensions,” the spokesman said. 

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.