True to his word, security researcher Matt Johansen this week demonstrated the security holes in Google’s Chrome OS that have been the subject of so much discussion. Apparently, his demonstration…basically involved what he already showed us all last month. Just a touch anticlimactic, don’t you think? The way Johansen talked, I thought he might have a few new demonstrations for the lot of us.
The whole presentation wasn’t a retreading of old ground, though- while he did repeat a lot of what he said when he demoed the Scratchpad exploit, he also had a few new things to say about applications, extensions, and security on Google’s Chrome Operating System. For those of you who haven’t already discerned the nature of these statements, I’ll give you a hint- they aren’t good.
A Whole New Ball Game
It’s been said before- Chrome us unlike any operating system that’s been seen to date, so naturally, the malware we’re going to see on the system is going to be different from the typical system hijacks and security exploits we see on traditional platforms. That doesn’t make these exploits any less dire. In a sense, they’re actually worse. See, what’s on the physical hard drive doesn’t matter anymore. What hackers and digital ne’erdowells are looking to get their claws on is raw data.
And according to Johansen and Osborn, Chrome’s making it distressingly simple for them to do so.
“The Chrome OS is unlike any other desktop system currently available” said Johansen. “It’s more similar to mobile devices and apps, where to get more out of the device you’re going to need to install extensions. Mobile bugs are being sold for twenty to thirty percent more than desktop bugs because if you own somebody’s phone, you own their life.”
It’s in the extensions and applications, Osborn said, that Google’s Chrome OS encounters its greatest security threat. Not in some bug or glitch, but in the raw coding of the application store itself. “Unlike Apple, there’s no review process [for native apps], which in turn increases the security risk.” stated Osborn.
“We actually saw an extension in the Chrome Web Store called Cookie Stealer that did precisely that” stated Johansen. “But hey, it had the checkmark next to it that it was verified, safe, and secure.” Sounds to me like Google needs to take a long, hard look at their application review process. A more stringent set of guidelines might stifle the open-source community a bit on the OS, but at the same time, it’ll help to ensure that addons like Cookie Stealer don’t manage to make their way into the larger Chrome community.
Any application that is linked to a database, or any application
Applications like e-mail notifiers, notepad-like software and RSS readers are some of the riskiest pieces of software, in the eyes of Osborn and Johansen. Because they need such wide-open permissions to run properly, the list of exploits that such addons could contain is, well…a bit distressingly long.
“Along with permissions,” said Johansen, “The very API list which allows extension writers to create powerful tools also leads to serious security risks. In the list of APIs that extensions have access to is the one for Tabs, which means that an exploit could gain access to your entire browsing session.” It gets worse.
“Of course, your note-taking extension is going to have to talk to your Google Docs account, or your banking extension will have to talk to your bank.” said Johansen. Osborn continued his train of thought, adding that the two of them have discovered a number of extensions that include access to all of Chrome’s APIs- bookmarks, cookies, history, windows, and tabs. Hell, I myself have even seen addons that are able to determine-and gain access to-your physical location. “There’s no need to inject [malicious] code if you have access to these APIs” said Osborn.
“This conversation is about the web, not Chrome OS” replied a Google spokesperson. “Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the Web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”
This isn’t to say that Google’s ignoring the issue of security. Seems they aren’t keen on repeating Apple’s mistakes- you know; the mistakes that lead to Macdefender infecting virtually millions of systems. In order to establish that the presentation wasn’t simply a Chrome-bashing session, both researchers noted that Google is essentially looking into the development of applications to police other APIs- keeping tabs on the activity of other programs within Chrome and cutting off any specific activity. It’d definitely be a welcome feature, for sure- and might actually serve to close one of the few security holes within the Chrome OS.
If there’s anything you should take away from this whole discussion, it’s this: exercise caution. Every system has security holes and exploitable flaws-that’s a given. I could go on all day about the exact scope and span of malware that’s available for the PC, or the Mac. A hacker can gain access to your banking information or personal data just as easily on a physical system as they could on a cloud-based PC- they’d just need to use different methods for each one.
Chrome is to date one of the most secure operating systems around. That’s not to say that these aren’t flaws that Google needs to fix; just that they shouldn’t stop anyone who’s thinking about trying the OS from doing so. At the end of the day, these should simply serve as a poignant reminder that simply because Chrome’s immune to traditional attacks; doesn’t mean it’s completely impervious to malicious software.