Today at Black Hat, a computer security conference in Las Vegas, researchers described how they were able to steal data from Chrome OS, an operating system built by Google that requires the user to do almost everything via the Web. By using the operating system’s Web-based design against itself, the researchers were able to get access to users’ names and passwords, and even banking information. While the specific vulnerabilities they exploited can be closed, the researchers say there is no way to block the broader threat.
Google has touted Chrome OS as a revolutionary approach to computing, and emphasized its security. Since applications run on the Web, users won’t run out-of-date software, which commonly leaves them open to security vulnerabilities. The system is also automatically updated, and little is stored on the user’s computer. If a malicious piece of software tries to get onto a Chrome computer, Google can remotely restore the operating system to a pristine state. These aspects should make it less vulnerable to viruses and other threats.
But the researchers, Matt Johansen and Kyle Osborn, from the Web application security company White Hat Security, demonstrated that moving to the Web comes with its own set of dangers. “There is no access to the hard drive, but we don’t care,” says Johansen. “We’re after information. We’re not trying to build a botnet on your Chromebook.”
The pair used common hacking techniques. They were successful almost immediately with a method called cross-site scripting. This involves injecting a Web page with code that runs in the browsers of visitors to the site. The code then performs malicious tasks on those visitors’ machines.
Chrome OS is designed to limit the damage this technique could cause. It does this via a technique called sandboxing, which is meant to prevent what’s happening in one browser tab from affecting another. Johansen and Osborn used cross-site scripting to attack Chrome OS’s browser extensions, which typically add new functionality.
In Chrome OS, extensions are more powerful than in other browsers, and aren’t subject to the same sandbox rules as browser tabs. That’s because they exist, in part, to provide functions that affect multiple tabs. “You’re talking about a super pared-down version of the operating system,” says Osborn, “and they’re trying to rebuild functionality through extensions.”
The researchers found that extensions can get broad access to what’s going on in users’ browser tabs. As such, someone could use them to steal usernames and passwords, cookies, and browsing history information, including information that comes from sites that don’t have vulnerabilities themselves.
The researchers found that many existing extensions had broad permissions, and were vulnerable to cross-site scripting. They also showed that it’s possible to build malicious extensions. They could be disguised, for example, as ways to get images of pop stars.
The researchers say there’s no way to block this threat because anyone can make an extension, and Google doesn’t review them before they’re made available to users. There are nearly always going to be some extensions with security vulnerabilities, giving hackers a way to bypass the otherwise solid protections of Chrome OS.
The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn’t protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab.
“Whose problem is this on the whole?” Johansen says, noting that both Google and extension makers may have a responsibility to protect against the attack.
Google has fixed the problems with its own extensions, and is contacting extension makers who may be able to help. On Friday, the company posted a blog entry emphasizing the power of Chrome’s built-in security: “We continue to improve features like our Safe Browsing API and our extensions model that help protect users from malicious Web content.” Still, Google says users need to be careful about what permissions they grant to extensions and where they travel on the Web.
Google has also issued guidelines for developers on writing extensions more securely. And the next release of Chrome will also support a content security policy designed to reduce the risk of cross site scripting attacks.
“This conversation is about the web, not Chrome OS,” a statement from Google says. “[Computers running Chrome] raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”
In other words, moving the computing experience entirely to the Web may solve one set of security problems while opening up a box full of new ones.