Security Researchers Demonstrate Hacking Google’s Chrome OS
When Google first mentioned its Google Chrome OS software several years ago, one of the selling points was the promise that it would come with better built-in security compared to other operating systems. The Chrome OS has commercially been available for a few months now and security researchers have already figured out how to hack it.
Two researchers told a crowd that they had used web-based hacker tricks to compromise the security of the Chrome OS at today’s Black Hat security conference. The Chrome OS is the software that powers the recently launched Chromebooks from a variety of vendors. The hacks gave the researchers the ability to access a user’s email, Google Docs, contacts, and Google Voice messages. If Google doesn’t patch the variety of flaws or if the researchers uncover more flaws, then hackers could have a field day accessing data on Chromebooks everywhere. Two researchers at White Hat Security’s Threat Research Center, Matt Johanson and Kyle Osborn, said in their talk that they had spent months doing research on the Chrome OS. They ended up finding a flaw in ScratchPad, which is a preinstalled extension to the Chrome OS that lets people take notes and save them to cloud-based Google Docs. On stage at the Black Hat security conference, the researchers showed both videos of the hacked documents and live demos as well. “You basically grab and download someone’s contacts like this,” Osborn said, demonstrating the deed on a big screen.
A Google spokesman said the following in a statement regarding the demonstration: “This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.” Google also recently published information about writing more secure extensions to the Chrome OS, and it explained why it thinks the Chrome OS is more secure.
With Chromebooks, there is no data stored on the device and everything takes place essentially in the cloud and is accessible via the Chrome web browser. By attacking browsers with known exploits such as cross-site scripting, cross-site requests, and “clickjacking,” hackers can get around the Chrome OS’s security protections and access sensitive data. The researchers say they can do high-speed scans of intranets via the hack and can view active host Internet Protocol addresses (which let them figure out what websites you’re looking at). They say they also have the ability to take over a user’s Google account by stealing session cookies, which can contain user password data. The Chrome OS isn’t unique in having these types of vulnerabilities either, other OSes are also subject to similar attacks.
Google was informed about the vulnerabilities and addresses some of them including the ScratchPad flaw, but the researchers mentioned some of the underlying weaknesses still remain. The demonstration is just a reminder that the shift toward cloud computing won’t resolve all the common security problems that today’s computers have.