AfterDawn: Tech news

Researchers find flaws in Google Chrome OS systems

Written by James Delahunty (Google+) @ 29 Jun 2011 23:33

Researchers find flaws in Google Chrome OS systems Flaws could undermine Google's focus on security of Chrome-powered devices.
Since Google's Chrome operating system is built to be used connected to the web, users' files and work will mostly be saved in the cloud. Using Google Docs applications for example, automatically stores the work on Google's servers so you can access it from anywhere across a variety of devices.

Google believes this is the future of computing, and its Chrome OS is designed specifically for Cloud-based use. It also allows Google to talk up security, as your documents are stored and well protected in the Cloud, whereas if somebody were to steal your Chromebook, they won't find all of your files on your HDD like they will if they steal your notebook PC.

However, researchers at an independent security firm say that Chrome's reliance on web computing also makes it vulnerable in other ways. WhiteHat Security researcher Matt Johansen was paid $1,000 by Google for reporting a flaw in the Chrome OS note-taking application that he successfully exploited to hijack a Google Mail account.

Since then, Johansen has said he found the same basic flaw with many other applications (or extensions). "This is just the tip of the iceberg," he told Reuters. "This is just evolving around us. We can see this becoming a whole new field of malware."

Johansen says the key to for Chrome OS hacking is to somehow capture data that is being sent and received by the Chrome browser, to and from the Cloud. "I can get at your online banking or your FaceBook profile or your email as it is being loaded in the browser," he said.

"If I can exploit some kind of Web application to access that data, then I couldn't care less what is on the hard drive." Such snooping could be done by exploiting a vulnerability found in a Chrome extension, for example.

Google has recently revealed plans to improve the screening of Chrome extensions to avoid security problems. "Chrome is trusting these extensions more than it would be trusting just another website," Johansen said, referring to how the operating system gives extensions sweeping rights to access data stored on the cloud.

Previous Next  
Comments have been disabled for this article.

News archive