Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Cracking Open Chrome OS

Researchers use the Web to steal passwords and other data from Google’s Web-based operating system.

Today at Black Hat, a computer security conference in Las Vegas, researchers described how they were able to steal data from Chrome OS, an operating system built by Google that requires the user to do almost everything via the Web. By using the operating system’s Web-based design against itself, the researchers were able to get access to users’ names and passwords, and even banking information. While the specific vulnerabilities they exploited can be closed, the researchers say there is no way to block the broader threat.

Google has touted Chrome OS as a revolutionary approach to computing, and emphasized its security. Since applications run on the Web, users won’t run out-of-date software, which commonly leaves them open to security vulnerabilities. The system is also automatically updated, and little is stored on the user’s computer. If a malicious piece of software tries to get onto a Chrome computer, Google can remotely restore the operating system to a pristine state. These aspects should make it less vulnerable to viruses and other threats.

But the researchers, Matt Johansen and Kyle Osborn, from the Web application security company White Hat Security, demonstrated that moving to the Web comes with its own set of dangers. “There is no access to the hard drive, but we don’t care,” says Johansen. “We’re after information. We’re not trying to build a botnet on your Chromebook.”

The pair used common hacking techniques. They were successful almost immediately with a method called cross-site scripting. This involves injecting a Web page with code that runs in the browsers of visitors to the site. The code then performs malicious tasks on those visitors’ machines.

Chrome OS is designed to limit the damage this technique could cause. It does this via a technique called sandboxing, which is meant to prevent what’s happening in one browser tab from affecting another. Johansen and Osborn used cross-site scripting to attack Chrome OS’s browser extensions, which typically add new functionality.

In Chrome OS, extensions are more powerful than in other browsers, and aren’t subject to the same sandbox rules as browser tabs. That’s because they exist, in part, to provide functions that affect multiple tabs. “You’re talking about a super pared-down version of the operating system,” says Osborn, “and they’re trying to rebuild functionality through extensions.”

The researchers found that extensions can get broad access to what’s going on in users’ browser tabs. As such, someone could use them to steal usernames and passwords, cookies, and browsing history information, including information that comes from sites that don’t have vulnerabilities themselves.

Threat extension: Chrome OS relies on browser extensions, shown here, to add full functionality to the operating system. But researchers say they can also open the system to security threats.

The researchers found that many existing extensions had broad permissions, and were vulnerable to cross-site scripting. They also showed that it’s possible to build malicious extensions. They could be disguised, for example, as ways to get images of pop stars.

The researchers say there’s no way to block this threat because anyone can make an extension, and Google doesn’t review them before they’re made available to users. There are nearly always going to be some extensions with security vulnerabilities, giving hackers a way to bypass the otherwise solid protections of Chrome OS.

The researchers were also able to steal data from LastPass, a password management system, by taking over a different extension and using it to open new tabs. This allowed them to see the password information that LastPass inserted. Though LastPass changed its system so that user information is no longer automatically entered, this still wouldn’t protect a user from a hacker who got in through a malicious extension, the researchers say. A hacker would just have to wait until the user opened a new tab.

“Whose problem is this on the whole?” Johansen says, noting that both Google and extension makers may have a responsibility to protect against the attack.

Google has fixed the problems with its own extensions, and is contacting extension makers who may be able to help. On Friday, the company posted a blog entry emphasizing the power of Chrome’s built-in security: “We continue to improve features like our Safe Browsing API and our extensions model that help protect users from malicious Web content.” Still, Google says users need to be careful about what permissions they grant to extensions and where they travel on the Web.

Google has also issued guidelines for developers on writing extensions more securely. And the next release of Chrome will also support a content security policy designed to reduce the risk of cross site scripting attacks. 

“This conversation is about the web, not Chrome OS,” a statement from Google says. “[Computers running Chrome] raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”

In other words, moving the computing experience entirely to the Web may solve one set of security problems while opening up a box full of new ones.

Keep up with the latest in security at EmTech MIT.
Discover where tech, business, and culture converge.

September 11-14, 2018
MIT Media Lab

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.