thechromesource – Google Chrome and Chrome OS News and Forum

Chrome OS Hacked via Scratchpad

Posted on 20. Jul, 2011 by Nicholas Greene in Chrome OS, News

Google’s been marketing its Chrome OS as more secure than traditional PCs. And they’re right, in a sense- It is a lot more secure than your standard, run of the mill operating platform. That doesn’t mean that Chromebooks- and their users- are completely invulnerable. I’ve cautioned before against making such assumptions, and stories like this only drive home what I’ve been saying. Whitehat Security researcher Matt Johansen doesn’t believe for a second that the Chrome OS is safe or secure. At the end of last month, he claimed to have found evidence to prove it

In a piece he published on Reuters, Johansen discovered and demonstrated a vulnerability in Google’s operating system that could be used to gain total control of a Gmail account.  CNet got in touch with Google after hearing about Johansen’s claims, and a Google spokeswoman confirmed that what the researcher reported was patched months ago, at the same time questioning why Chrome should be labeled as vulnerable simply because it uses extensions. She felt it wasn’t a particularly fair analysis- after all, all modern browsers run extensions. “If anything,” she told Cnet “this is more about Chrome the browser and what we do to protect extensions running in Chrome. All modern browsers run extensions, and all major computer lines support browsers. These kinds of web attacks are also valid on other browsers and devices, as even extension reviews are not foolproof.”

While Johansen acknowledged that Google had patched the vulnerabilities he directly demonstrated, he still wasn’t satisfied? Why? Evidently, he still knew something Google didn’t know, claiming that applications constituted a considerable- and rather crippling- vulnerability in Google’s cloud-based operating system. ”I can get at your online banking or your Facebook profile or your e-mail as it’s being loaded in the browser” Johansen said to Reuters. “If I can exploit some kind of web application to access the data, then I couldn’t care less what is on the hard drive.” Naturally, a lot of folks- myself included- thought his failure to back up his claims with solid proof rather suspicious. We wanted him to put his money where his mouth was.

As the old adage goes, “Be careful what you wish for”- because he just did.

The Demonstration

True to his word, on Friday; Johansen detailed and demonstrated just what he was talking about in the Reuters piece at a preview event to Black Hat’s August security conference. We already know he felt that the applications and extensions on Chrome were not secure- now he’s given us a bit of insight into why he felt that way. He considers Chrome Extensions and Apps to be analogous to smartphone apps. In the same way that mobile apps get certain permissions that can be abused on the phone, Chrome apps and extensions get some permissions that, in the wrong hands, could be downright dangerous.

And here, we see that the security risk doesn’t lie one hundred percent in Google’s hands.

See, each app or extension first asks for permissions from a user before downloading, in the same manner as mobile apps. Johansen noted that most users don’t even bother reading what permissions an app or extension requires, and simply allow it to download onto their system without a second thought as to the ramifications. Gotta say, he’s got a pretty good point there- I’m pretty sure almost everyone reading this has done exactly what he’s describing at least once. This is a practice that Johansen considers particularly dangerous; since we’re basically giving an extension free reign to perform some sort of malicious activity. Granted, most apps are reasonably safe, but….all it takes is one bad extension, and then your information is in the wrong hands.

The specific example given by Johansen of this security risk was the Scratchpad extension for Google Docs- an extension which is installed by default on a Chromebook. The permissions in this extension allow it to auto-sync with a user’s Google Docs account. That’s dangerous, Johansen says, because Google Docs lets users share documents with others without first asking the receiving user if they want to receive the document or not. When using Scratchpad, the user is logged in and authenticated to Google. There’s a loophole there; one that could easily be exploited to unsavory ends. In his demonstration, Johansen was able to share a malicious note through Scratchpad which, when opened, stole all of the user’s Gmail contacts.

Final Thoughts: A Widespread Vulnerability?

“While wide open permission in an extension can be trouble, damage can be done with minimal permissions as well,” Johansen noted. “Extensions are mini web applications and we’re attacking them via web application techniques we’ve been using for years. Cross site scripting is the most widespread attack on the web and we’re utilizing it in ways we haven’t seen before on the browser extension trust model.” According to Johansen, it’s not just Scratchpad- virtually any extension could end up being the victim of a malicious attack. While Chrome might be immune to many traditional forms of attack, Johansen feels that most attacks directed at Chrome will come via extensions. But doesn’t Google screen their extensions to ensure there’s no malware present?

Yes, they do. But as we just saw in Johansen’s demonstration, that doesn’t mean there aren’t still avenues of attack for criminals who are creative enough.

A lot of the reason Chrome’s immune to a lot of traditional attacks is that it’s the first of its kind. Most operating systems are grounded on the hard drive- so that’s what the vast majority of malware floating around the internet tends to target. With Chrome, it’s a whole different ball game. There isn’t any truly valuable data stored on the hard drive, nor is there any reason to try to gain control of the system- it’s all about the data that’s being exchanged on the cloud. As with any other operating system; once Chrome gets popular, malware sill start appearing. It’s an inevitability, and one we need to be prepared for.

Reading this, some of you might have been turned off from the Chrome operating system. That was not my intent- not in the least. I consider this more of a cautionary tale- as does Johansen, it seems. Back when the original Reuters piece hit the net, Johansen explained himself to Cnet: “I wouldn’t say Chrome OS is ‘not secure,’ but it certainly isn’t the end-all of security issues,” Johansen said. “All of the steps to remove access to the hard drive and all of the sandboxing that Google does are great security improvements.”

I’ve said it before, I’ll say it again- Chrome is probably the most secure operating system in circulation right now, but it’s not one hundred percent secure.  No operating system is. I think what Johansen is trying to do here is demonstrate to users some of the ways in which they might be attacked in this new ecosystem, allowing them- or, perhaps, Google- to better protect themselves. People are generally more cautious when they don’t have illusions of invulnerability, after all.

via Esecurity Planet

Tags: Chrome OS security