Today at Black Hat, a computer security conference in Las Vegas, researchers described how they were able to steal data from Chrome OS, an operating system built by Google that requires the user to do almost everything via the Web. By using the operating system’s Web-based design against itself, the researchers were able to get access to users’ names and passwords, and even banking information. While the specific vulnerabilities they exploited can be closed, the researchers say there is no way to block the broader threat.
Google has touted Chrome OS as a revolutionary approach to computing, and emphasized its security. Since applications run on the Web, users won’t run out-of-date software, which commonly leaves them open to security vulnerabilities. The system is also automatically updated, and little is stored on the user’s computer. If a malicious piece of software tries to get onto a Chrome computer, Google can remotely restore the operating system to a pristine state. These aspects should make it less vulnerable to viruses and other threats.
But the researchers, Matt Johansen and Kyle Osborn, from the Web application security company White Hat Security, demonstrated that moving to the Web comes with its own set of dangers. “There is no access to the hard drive, but we don’t care,” says Johansen. “We’re after information. We’re not trying to build a botnet on your Chromebook.”
The pair used common hacking techniques. They were successful almost immediately with a method called cross-site scripting. This involves injecting a Web page with code that runs in the browsers of visitors to the site. The code then performs malicious tasks on those visitors’ machines.
Chrome OS is designed to limit the damage this technique could cause. It does this via a technique called sandboxing, which is meant to prevent what’s happening in one browser tab from affecting another. Johansen and Osborn used cross-site scripting to attack Chrome OS’s browser extensions, which typically add new functionality.
In Chrome OS, extensions are more powerful than in other browsers, and aren’t subject to the same sandbox rules as browser tabs. That’s because they exist, in part, to provide functions that affect multiple tabs. “You’re talking about a super pared-down version of the operating system,” says Osborn, “and they’re trying to rebuild functionality through extensions.”
The researchers found that extensions can get broad access to what’s going on in users’ browser tabs. As such, someone could use them to steal usernames and passwords, cookies, and browsing history information, including information that comes from sites that don’t have vulnerabilities themselves.