In a preview of a demonstration at the upcoming Black Hat security conference, a security researcher demonstrated how browser extensions can be used to compromise Chrome OS.
The Chrome extension ScratchPad had a wide range of permissions that made it vulnerable to a cross-site scripting attack, Matt Johansen, an application security specialist at WhiteHat Security, said July 14 in a preview of a presentation he will be making at Black Hat.
Johansen did his work on the Google CR-48 Beta laptop released last fall, but said malicious extensions would affect any device running Chrome OS, whether it is the CR-48 or the Chromebook.
He noted WhiteHat Security was able to “abuse” the Chrome OS “pretty quickly”.
In his demonstration, a friend shared a folder containing a note with malicious code, which was then accessible on the CR-48 through the ScratchPad extension. Once the note was opened, the note was able to then steal all his contacts saved in Gmail because he was already logged into Google’s services.
Google patched this specific flaw in the ScratchPad extension after being notified by Johansen. He found similar problems in other extensions but did not mention which ones, although promising his listeners that he had a few more “tricks up his sleeve” to reveal at Black Hat.
Applications are turning out to be the most common attack vectors for mobile devices but, on a Web-based operating system like Chrome OS, the attacks will come from extensions, Johansen said. Extensions are applications available from the Google Chrome Web store that run in the browser and allow users to access cloud services. While they are similar to Web browser extensions, Chrome OS extensions are far more powerful.
Similar to mobile apps, extensions rely on permissions to gain access to various capabilities and features. The key difference is that mobile apps require permission from the user to access those features while permissions for the Chrome OS extension are set and defined by the developer, Johansen said.
Noting that the bulk of Chrome OS extensions will be written by independent software developers, extensions represent a “new attack surface”, Johansen said. Users now need to worry about the “security mindset” of the development team behind the extension before downloading.
“Security vulnerabilities are bound to be plentiful,” Johansen said, calling Chrome OS a “target-rich environment”.
The focus on cloud-based storage and applications means that a majority of threats are automatically eliminated because malware cannot be downloaded onto the machine. Chrome OS protects users from the “usual suspects”, Johansen said.
Instead of targeting the data stored on the machine’s hard drive, malicious attackers will increasingly target applications that send data between the Chrome browser and the cloud service, Johansen said.
Johansen and colleague Kyle Osborn will demonstrate other ways to hack Chrome OS at Black Hat, which will be held on August 3-4 in Las Vegas, Nevada.
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…