Researchers crack Chrome OS via extensions
A pair of security researchers have found a way to steal data from Chrome OS via extensions.
Google claims Chrome OS is more secure than other OSes because – among other features – it is updated constantly, meaning it won’t be left unpatched by users.
At the Black Hat conference in Las Vegas, Matt Johansen and Kyle Osborn from White Hat Security revealed how to steal user data by targeting extensions used by the browser-based operating system.
We’re not trying to build a botnet on your Chromebook
The researchers used a cross-site scripting attack targeting extensions, accessing data on any open tab – even if the webpage doesn’t have a vulnerability of its own.
“You’re talking about a super pared-down version of the operating system,” Osborn told MIT’s Tech Review. “And they’re trying to rebuild functionality through extensions.”
Indeed, the researchers said one simple way to target Chrome OS would be to create malicious extensions or apps, as Google doesn’t vet either before letting users install them.
The pair said Chrome OS was relatively secure, and won’t necessarily be hit by the same security challenges as rival OSes. “There is no access to the hard drive, but we don’t care,” Johansen said. “We’re after information. We’re not trying to build a botnet on your Chromebook.”
As well, the flaws aren’t unique to Chrome – such attacks can be used against any browser – and Black Hat presenters have consistently proved nothing is secure.
Other researchers at the conference have shown off hacks against energy grids, card-door locking systems, and even medical equipment, by interfering with insulin pumps.