Google may see its Chrome operating system as Reuters story published yesterday.than traditional alternatives, but one security researcher believes the cloud-based OS is vulnerable, according to a
WhiteHat Security researcher Matt Johansen said he found a flaw in a Chrome OS application that he was able to exploit to gain control of a Google e-mail account. Though Google fixed the flaw after it was reported, Johansen claims to have discovered other applications with the same flaw, Reuters said.
In citing the security holes in Chrome OS, Johansen specifically pointed to the ability of hackers who can steal data as it moves between the cloud and the Chrome OS browser instead of hacking directly into a user's PC.
"I can get at your online banking or your Facebook profile or your e-mail as it is being loaded in the browser," he told Reuters. "If I can exploit some kind of Web application to access that data, then I couldn't care less what is on the hard drive."
The vulnerable applications cited by Johansen are extensions downloaded from the Google Chrome Web Store. Though most other browsers also use extensions, Johansen believes there's a design flaw in Google Chrome OS that gives extensions "sweeping rights to access data stored on the cloud."
In response to Johansen's claims, a Google spokeswoman confirmed with CNET that the initial extension reported by the researcher was patched months ago but questioned the overall labeling of Chrome OS as vulnerable due to its use of extensions.
"It is a mischaracterization to say that this is something inherently baked into the Chrome operating system because all modern browsers run extensions," she said. "If anything, this is more about Chrome the browser and what do we do to protect extensions running on Chrome."
The spokeswoman also said she contacted the writer of the Reuters piece to ask for the proof from WhiteHat that this is a fundamental design flaw in the OS.
"There's a lot of work that we've been doing around security to protect extensions running on Chrome," Google said. "Extensions running in Chrome have actually been designed to limit access privileges and to run in isolation by default. Incognito mode on Chrome OS and Chrome do not allow extensions unless they are explicitly whitelisted by the user, and enterprises can also enforce extension whitelisting for their domain."
Caesar Sengupta, director of Chrome OS, told Reuters that Google is also looking into ways to tag "questionable" extensions without making it difficult for developers to distribute their extensions to the Chrome Web Store. The representative confirmed that Google has security people working on this aspect as well.
"All modern browsers run extensions, and all major computer lines support browsers," added the spokeswoman. "These kinds of web attacks are also valid on other browsers and devices, as even extension reviews are not foolproof."
A spokesman for WhiteHat Security seemed to want to soften the tone reflected in the Reuters piece by telling CNET that WhiteHat has a good relationship with Google's security people and works closely with them on vulnerabilities.
"The Black Hat talk (which spurred the Reuters piece) is really about how moving the OS to the cloud presents different security challenges," said the WhiteHat spokesman, "i.e. we're not trying to 'call out' Google for anything."
Johansen had told Reuters that he and fellow researcher Kyle Osborn will reveal more information about the reported vulnerabilities in Chrome OS at the Black Hat hacking conference in Las Vegas this August.
Johansen also tried to clarify and explain his findings in response to questions from CNET.
"I wouldn't say Chrome OS is 'not secure,' but it certainly isn't the end-all of security issues," Johansen told CNET. "All of the steps to remove access to the hard drive and all of the sandboxing that Google does are great security improvements. The part where security issues arise, other than browser exploits, which will likely come out in the future and Chrome patches frequently, is the fact that these extensions, which are mostly developed by third parties that have a permission set that sometimes is pretty wide open."
Johansen said that he also saw this issue in the Android app store with apps that had permission to access a user's contact list and GPS location.
All browsers and Web-based apps face similar issues with vulnerabilities, Johansen added. But with Chrome OS, since you can't install software on the hard drive, extensions are the only way to add functionality outside of the browser.
"Just like an iPad or a smartphone, people go 'app crazy;' to get use out of a ChromeOS machine you will need to go 'extension crazy,'" Johansen said.
WhiteHat also looked into extensions from other browsers such as Firefox and Safari to see if they faced the same security flaws.
Johansen concluded that most other browser extensions act more like software, while Chrome OS extensions act more like "mini Web applications." As a result, other browsers can be affected by software vulnerabilities, such as buffer overflows. But Chrome can be hit by Web application vulnerabilities, Johansen said. Such vulnerabilities were detailed in a WhiteHat 2007 white paper (PDF).