Google may have aimed of providing a secure OS in the form of Chrome, but the story doesn’t ends here! A news published at Reuters reports of security researchers discovering vulnerabilities in Chrome OS extensions that allow attackers to steal sensitive data and access the victim’s accounts. Researcher Matt Johansen and Kyle Osborn of WhiteHat Security discovered the hole in a Chrome OS note-taking application. They were able to exploit to gain control of a Google e-mail account. Johansen claims to have discovered other applications with the same flaw. Google fixed the problem earlier this year and paid the researchers $1,000 through its security reward program.
Being a web oriented OS, Google had praised it for its security as compared to other operating systems. But due to web requirements, Chrome OS is dependent on extensions and apps for extra functionality which exposes a large attack surface for it. A big reason for these attacks are “app-crazy” attitude of users. While installing many extensions and applications, users do not read the warnings such as “This extension can access: Your data on all websites.” According to Google’s own documentation, by installing such an extension you agree that “This item can read every page that you visit – your bank, your web email, your Facebook page, and so on” , the Chrome web store help entry reads. A big note to be taken is that these extensions are not coded by Google. They’re not subject to rigorous code reviews and are not heavily scrutinized before being made available on the Chrome web store. So they may contain security bugs and vulnerabilities which may allow the attackers to get a whole scenario of your web activities. In this context, both security researchers plan to demonstrate this at the Black Hat security conference later this year. Well this going to be interesting.We’ll be updating more on this issue. Stay tuned and be secure!