LAS VEGAS--Google touts the Chrome OS as being free from traditional security concerns like malware, but it's still vulnerable to entirely different kinds of attacks, two researchers from the firm WhiteHat Security told Black Hat attendees here today.
The Chrome OS is unlike any other desktop system currently available, said Matt Johansen, WhiteHat Security's team lead. "It's more similar to mobile devices and apps, where to get more out of the device you're going to need to install extensions," he said. "Mobile bugs are being sold for 20 to 30 percent more than desktop bugs because if you own somebody's phone you own their life."
Unlike Apple, though, there's no review process, which in turn increases the security risk, said Kyle Osborn, an application security specialist focusing on offensive security for WhiteHat Security.
"We actually saw an extension in the Chrome Web Store called Cookie Stealer that did precisely that. But hey, it had the checkmark next to it that it was verified safe and secure," Johansen quipped.
When the Cr-48 demo laptop running Chrome OS first came out in December 2010, Google approached WhiteHat Security to find security risks in the OS. They quickly found a hole in the ScratchPad note-taking app, which could affect all Chrome OS users since it's one of the few apps that comes pre-installed.
When you take notes with ScratchPad, it syncs the note to your Google Docs account. What most people didn't realize about Google Docs is that the person you share a document or folder with doesn't have to approve receiving it. It just automatically appears in your Docs. This lack of structured permissions massively increased the risk of running an exploit, said Johansen, because it affects everybody, it has access to your Google log-in and there's no permissions wall to break through.
The risk is even worse than that, said Osborn. "Because it has access to all sub-domains under Google.com, this could include your contacts or Voice account. An exploit could export your entire contact list as a CSV," he said, simply because you were using a Google-written app.
"This is a zero-click, or at max a one-click worm," said Johansen. He said that Google was quick to fix the exploit once his company notified them, but the larger point of open permissions left Chrome OS users vulnerable. Along with permissions, he said that the very API list which allowed extension writers to create powerful tools also led to serious security risks. In the list of APIs that extensions have access to is the one for Tabs, which means that an exploit could easily gain access to your entire browsing session.
"Of course, your note-taking extension is going to have to talk to your Google Docs account, or your banking extension will have to talk to your bank," Johansen said, and Osborn added that he's found extensions that have access to all Chrome APIs, including bookmarks, cookies, history, windows, and tabs. "There's no need to inject code into google.com if you have access to these APIs," he said.
"This affects mobile, too. A new feature of the Android Market is that you can log in with your Google account and install apps [from the desktop to the phone]. We can now force the download and install of any application that we want," said Osborn.
In a statement, a Google spokesperson responded: "This conversation is about the Web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the Web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."
When it comes to Chrome app-based threats, Osborn and Johansen are not looking for usual suspects, such as Microsoft Office exploits or buffer overflows. They're looking at things like e-mail notifiers, note-taking apps, and RSS readers, which have to have wide-open permissions to run properly. Basically, they said, they're looking at any extension that talks to a database, or any extension that takes input from somewhere and displays it to the user.
However, they also had good things to say about Chrome as an operating system. Osborn noted a recent blog post by Google on how to write extensions for Chrome more securely, and Johansen said certain features in Chrome OS did make the computer safer. These included better-known protections such as sandboxing tabs so they didn't "talk" to each other and removing nearly all local storage, but he also pointed out that the operating system handles its own plug-ins, restricts the "attack surface" to client-side browser exploits, and eliminates most modern virus and malware threats. Also, he said, the Chrome Web Store is segregated from everything else, which means that it's hard to launch an attack through the store itself.
The issue of permissions is complicated because it basically turns the end user into a firewall. Although the program, app, or extension tells you when you install it which permissions it requires, the act of blocking those falls to the user. "Whose problem is it with these permissions? Is it Google's? The developer's?" Johansen asked the crowd.
He added that Google has been responsive and open in talking with his company about these problems. "We would like to see more restrictive APIs in the future," he concluded.
Updated August 4 at 12:33 PT with a statement from Google.