Threat extension: Chrome OS relies on browser extensions, shown here, to add full functionality to the operating system. But researchers say they can also open the system to security threats.
The researchers found that many existing extensions had broad permissions, and were vulnerable to cross-site scripting. They also showed that it’s possible to build malicious extensions. They could be disguised, for example, as ways to get images of pop stars.
The researchers say there’s no way to block this threat because anyone can make an extension, and Google doesn’t review them before they’re made available to users. There are nearly always going to be some extensions with security vulnerabilities, giving hackers a way to bypass the otherwise solid protections of Chrome OS.
The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn’t protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab.
“Whose problem is this on the whole?” Johansen says, noting that both Google and extension makers may have a responsibility to protect against the attack.
Google has fixed the problems with its own extensions, and is contacting extension makers who may be able to help. On Friday, the company posted a blog entry emphasizing the power of Chrome’s built-in security: “We continue to improve features like our Safe Browsing API and our extensions model that help protect users from malicious Web content.” Still, Google says users need to be careful about what permissions they grant to extensions and where they travel on the Web.
Google has also issued guidelines for developers on writing extensions more securely. And the next release of Chrome will also support a content security policy designed to reduce the risk of cross site scripting attacks.
“This conversation is about the web, not Chrome OS,” a statement from Google says. “[Computers running Chrome] raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”
In other words, moving the computing experience entirely to the Web may solve one set of security problems while opening up a box full of new ones.
Hear more from Google at EmTech 2014.