Black Hat

Google Chrome OS Promises Computing Without Pain

Vulnerabilities in Google Chrome OS extensions could give malicious hackers an easy point of attack to steal users' passwords, contacts, email, and more, according to two researchers speaking at Black Hat, a UBM TechWeb event, in Las Vegas on Wednesday.

While Google has extoled the security of its new mobile operating system, the system is only as secure as the apps that run on it, according to White Hat team lead Matt Johansen and application security specialist Kyle Osborn. "This is a juicy new attack surface," Johansen said. "There's none of the usual suspects you'd find on the desktop. We're not interested in your hard drive when we can get whatever you have in the cloud."

Extensions on Google Chrome are generally just miniature web apps, and the vulnerabilities detailed by Johansen and Osborn are cross-site scripting bugs that allow a hacker to inject malicious JavaScript into users machines by taking advantage of permissions the apps use to interact with browser tags, grab contacts or take other actions. These permissions allow, for example, the application to access users' GPS location, call history, or browser.

The primary problem, Johansen and Osborn said, is that many extensions allow wide-open permissions, and often more access than they need, such as the ability to access any website whatsoever. Some apps, such as RSS readers, mail notifiers, and note takers, often require broad access.

Apple vets applications that wind up on its AppStore, but Google does not do the same for extensions made available for Chrome OS. That means that a malicious actor could upload an innocuous-sounding extension to the Chrome Web Store and then hack those who download it. In fact, to prove the point, Osborn said he successfully briefly uploaded an extension called "Malicious Extension" to the Web store (though he immediately took it down thereafter).

That extension can carry out a port scan to scan other IP addresses within the subnet to which a mobile device is connected, grab users' Google Contacts, use the user's logged in Google session to send a text message to another individual, initiate phone calls, and inject JavaScript that could include something like key-logging capability into any website.

However, in addition to malicious apps, there may be vulnerabilities even in common apps. Johnasen and Osborn discovered, for example, that Google's ScratchPad note-taking app allowed them to use a cross-site scripting injection to grab users' contacts, as well as their cookies, which could in turn provide a hacker with access to, for example, a user's Gmail or call history. While Google quickly closed this vulnerability after its discovery, Johansen noted that the two have found vulnerabilities in numerous other apps that could allow similar permissions.

The researchers showed how another vulnerability in an RSS reader could be used to hack password-storing website LastPass if a user had the LastPass extension installed in Chrome, even though LastPass doesn't have any inherent vulnerabilities itself. Because the RSS reader might have the capability to launch web pages and interact with them, a hacker could spawn a window with LastPass.com, which would be automatically logged in because of the presence of the LastPass extension, then inject JavaScript code to steal the local crypto key and database for LastPass, decrypt the key on the hacker's side, and voila, have access to all of a user's passwords. LastPass has, since the discovery of this possible bug, made it harder to take advantage of this by requiring users to manually log in once a LastPass tab is opened.

While these holes may sound somewhat gaping, Google, to its credit, is working to fix some of them. For example, it is working on making more restrictive APIs for common application use cases like RSS readers and has provided developers with a tip guide on how not to use JavaScript and how to avoid putting unnecessary permissions in extensions.

GTEC brings together leading public and private sector experts to collaborate on serving Canadian citizens better through innovation and technology. It happens in Ottawa, Oct. 17-20. Find out more.