Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Threat extension: Chrome OS relies on browser extensions, shown here, to add full functionality to the operating system. But researchers say they can also open the system to security threats.

The researchers found that many existing extensions had broad permissions, and were vulnerable to cross-site scripting. They also showed that it’s possible to build malicious extensions. They could be disguised, for example, as ways to get images of pop stars.

The researchers say there’s no way to block this threat because anyone can make an extension, and Google doesn’t review them before they’re made available to users. There are nearly always going to be some extensions with security vulnerabilities, giving hackers a way to bypass the otherwise solid protections of Chrome OS.

The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn’t protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab.

“Whose problem is this on the whole?” Johansen says, noting that both Google and extension makers may have a responsibility to protect against the attack.

Google has fixed the problems with its own extensions, and is contacting extension makers who may be able to help. On Friday, the company posted a blog entry emphasizing the power of Chrome’s built-in security: “We continue to improve features like our Safe Browsing API and our extensions model that help protect users from malicious Web content.” Still, Google says users need to be careful about what permissions they grant to extensions and where they travel on the Web.

Google has also issued guidelines for developers on writing extensions more securely. And the next release of Chrome will also support a content security policy designed to reduce the risk of cross site scripting attacks. 

“This conversation is about the web, not Chrome OS,” a statement from Google says. “[Computers running Chrome] raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”

In other words, moving the computing experience entirely to the Web may solve one set of security problems while opening up a box full of new ones.

2 comments. Share your thoughts »

Credits: Technology Review, Google

Tagged: Computing, Google, security, Web, Chrome, Web apps, Chrome OS

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me