When Google first started talking about its Google Chrome OS software a few years ago, one of the selling points was the promise that it would come with much better built-in security than other operating systems. Now, Chrome OS has only been commercially available for a few months, and security researchers have already figured out how to hack it.
Two researchers told a crowd at the Black Hat security conference today that they had used web-based hacker tricks to compromise the security of the Chrome OS, which is the software that powers recently launched laptop-like Chromebooks from a variety of vendors. The hacks let the researchers get access to a user’s emails, Google Docs, contacts, and Google Voice messages. If Google doesn’t patch the variety of flaws found or if researchers uncover more, then hackers could have a field day accessing data on Chromebooks.
Matt Johanson and Kyle Osborn, two researchers at White Hat Security’s Threat Research Center, said in their talk that they spent months doing research on Chrome OS. They found a flaw in ScratchPad, a preinstalled extension to the Chrome OS that lets people take notes and save them to cloud-based Google Docs. On stage at Black Hat, the researchers showed both videos of the hacked documents and live demos as well.
“You basically grab and download someone’s contacts like this,” Osborn said, demonstrating the deed on a big screen.
In a statement, a Google spokesman said, “This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”
Google also recently published information about writing more secure extensions to the Chrome OS, and it explained why it thinks the Chrome OS is more secure.
With Chromebooks, no data is stored on the device and everything takes place in the cloud and is accessible via the Chrome web browser. By attacking browsers with known exploits such as cross-site scripting, cross-site requests, and “clickjacking,” hackers can get around the Chrome OS’s security protections. The researchers say they can do high-speed scans of intranets via the hack and can view active host Internet Protocol addresses (which let them figure out what websites you’re looking at). They also say they can take over a user’s Google account by stealing session cookies, which can contain user password data.
Chrome OS is not unique in having these types of vulnerabilities. Other OSes are also subject to similar attacks.
Google was informed of the vulnerabilities and addressed some of them, including the ScratchPad flaw, but the researchers said some of the underlying weaknesses remain.
The demonstration is a pointed reminder that the shift toward cloud computing is not a panacea for all security problems.