Security researchers at the Black Hat Technical Security Conference Aug. 3 demonstrated how Google Chrome OS extensions provide a point of entry for hackers to steal passwords, contacts and email information. Google (NASDAQ: GOOG) responded by working to close the vulnerabilities, but this problem has no quick fix.
Google Chrome extensions function like web applications, and have varying permission levels. Extensions with broad permissions could allow access to GPS location, for example. Most of the extensions do not undergo any review by Google. Now, the company is working to create more restrictive APIs for common applications, reports InformationWeek.
The hack is noteworthy because, although Chrome OS has only been commercially available for several months, Google repeatedly touted the product's security leading up to its release, notes VentureBeat. "One of the selling points was the promise that it would come with much better built-in security than other operating systems," writes Dean Takahashi.
But the White Hat team, led by Matt Johansen and Kyle Osborn, told InformationWeek's Nick Hoover that Chrome's security is only as good as the apps that are running on it.
"This is a juicy new attack surface," Johansen told Hoover. "There's none of the usual suspects you'd find on the desktop. We're not interested in your hard drive when we can get whatever you have in the cloud."
A Google statement confirmed the premise that the vulnerability lies in the platform's reliance on the cloud and less on the platform itself.
"This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced," a Google spokesperson told VentureBeat.
Read more: Google Chrome OS vulnerability revealed at Black Hat - FierceCIO:TechWatch Google Chrome OS vulnerability revealed at Black Hat - FierceCIO:TechWatch
Subscribe: IT Articles, IT Newsletter, Technology Newsletter - FierceCIO:TechWatch