AfterDawn: Tech news

Security researchers play with Chrome OS bugs

Written by James Delahunty @ 03 Aug 2011 11:59 User comments (1)

Security researchers play with Chrome OS bugs Chrome OS extensions singled out for analysis.
Google touts the additional security that is offered by Chromebooks. On the level of hardware and the operating system itself, the security aspect cannot be denied. It has no native applications except for a browser and it had built in systems to protect the system from boot.

However, Chromebooks are vulnerable to many of the same threats that affect web users every day already. WhiteHat Security researcher Matt Johansen calls attention to Chrome OS' reliance on extensions, Often times, extensions contain cross-site scripting (XSS) bugs that can be exploited by hackers.

Of particular interest is how a bug in one extension could result in the hijacking of communications of a different, secure, extension. As a demonstration at the Black Hat conference, Johansen and colleagues exploited an XSS bug in an extension to steal passwords from an otherwise secure account on LastPass, a cloud password storage service.

"If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication," Johansen said. "LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications."



This reality raises questions about who is liable to fix these problems. Google doesn't believe this is a problem with its operating system however.

"This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels," A Google spokeswoman told The Register.

"They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."

Previous Next  

1 user comment

14.8.2011 00:19

Google is headed down the Apple road if they keep acting like this...if a website can hijack extensions, then that is a problem with the browser...plane and simple...and without the ability to use quality security tools, google's failure to act on this could be the downfall of the platform.

Comments have been disabled for this article.

Latest news

Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets (06 Jun 2023 9:19)
Roomba Combo j7+ is the very first Roomba model to combine robot vacuum with mopping features. And Roomba Combo j7+ does all that with a very clever trick, which tackles the problem with mopping and carpets. But is it any good? We found out.
Neato, the robot vacuum company, ends its operations Neato, the robot vacuum company, ends its operations (02 May 2023 3:38)
Neato Robotics has ceased its operations. American robot vacuum pioneer founded in 2005 has finally called it quits and company will cease its operations and sales. Only a skeleton crew will remain who will keep the servers running until 2028.
5 user comments
How to Send Messages to Yourself on WhatsApp How to Send Messages to Yourself on WhatsApp (20 Mar 2023 1:25)
The world's most popular messaging platform, Meta-owned WhatsApp has enabled sending messages to yourself. While at first, this might seem like an odd feature, it can be very useful in a lot of situations. ....
18 user comments
How to Enable Bluetooth on Stadia Controller How to Enable Bluetooth on Stadia Controller (11 Feb 2023 1:04)
Google shut down its streaming game service Stadia late last month and this means that some people have Stadia controllers lying around that seem to be of no use. That is fortunately not the ....
2 user comments
Guide: How to Kick Unwanted Guests from Your Netflix Account Guide: How to Kick Unwanted Guests from Your Netflix Account (26 Jan 2023 2:14)
Sharing a Netflix account with a person in a different location is possible and indeed very common, although the company doesn't necessarily enjoy this behavior from their customers. However, ....

News archive