The INQUIRER: Harrow's leading IT publication
|
|
|
Chrome OS users are at risk
SOFTWARE HOUSE Google's Chrome operating system (OS) has many security features built in by default, but its Achilles' heel is its browser extensions which, according to experts, expose people's data to attacks.
Whitehat Security researchers Matt Johansen and Kyle Osborn discussed several Chrome extension-based attack vectors at the Black Hat USA security conference yesterday and, according to them, these fundamental design flaws in Google's web-centric operating system will not be easy to address.
Google Chrome OS is built around the Chrome web browser and most of its functionality comes from web-based apps and extensions that can be downloaded from the Chrome Web Store. However, Chrome's privilege system for these items opens attack possibilities.
Those surfing through the web store will notice that many extensions and apps have warnings like "this extension can access your data on all websites" or "this app can access your tabs and browsing history". Any of them can be a serious security risk.
First of all, a crafty attacker can craft a malicious extension and use social engineering to trick users into installing it, especially since the Chrome Web Store submission process is automated and there is no in-depth review of the code.
Such an extension would give the attacker access to people's data and that doesn't only mean read rights. According to Google's own documentation extensions can "use your credentials (cookies) to request or modify your data from websites".
And rogue extensions are not the only attack option. Vulnerable ones pose similar risks. For example, a cross-site scripting flaw in a website can be exploited to attack only that website, but an XSS weakness in a Chrome extension can be leveraged to attack all web sites opened in the browser.
Getting a lot of people to install a rogue extension can prove difficult, this limiting the impact of such an attack. However, the pool of potential victims is much larger if a popular extension happens to have a flaw that attackers can exploit.
"The worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session. Scary," said Chester Wisniewski, a senior security advisor at Sophos.
"Many extensions available on the Chrome Web Store were not exactly designed with security in mind, which not only makes them potentially vulnerable, but also means they ask for more permissions than they may need to work properly," he added.
The researchers claim that Google has been very responsive so far and has addressed some of the issues. However, others are not so simple to fix because they are part of how Chrome was designed to work.
But, as we all know, eventually the responsibility of protection will fall with the users. People will need to be very careful about what Chrome extensions they install and keep them up to date. If not, you are more the fool. µ
Tags: Security
Share this:
Share
No actually they had shown their greed atleast, just that people hasn't taken more notice. There were a recent antitrust complaints sent to European Commission though. But things such as closing people adsense account with out notice. Reading through the EULA for their services can be scary. If you have Wireshark or the GoogleSharing firefo extension you'll be amaxed at ho much connection is made to Google, sometimes automatically without you doing anything. I did a payment through Google Checkout and they froze my account unless I scan for them my driver license and bank statement, why?
So what you're saying is that the user is the weakness in Chrome OS's security? The user the biggest weakness in 99% of systems to begin with.
meanwhile google has complete control for whatever shady tracking and backdoor-ing they want. we now know to distrust m$ but google still hasn't shown its evil, don't worry, it will.