Google's ChromeOS is a browser based cloud powered operating system that holds the potential to be more secure than other traditional hard disk powered operating systems. According to research from security firm Whitehat, ChromeOS has its strengths, but it also has a few weaknesses too.
Matt Johansen, security researcher at WhiteHat Security detailed some high-level areas of concern in ChromeOS during a preview event ahead of the Black Hat security conference in Las Vegas, which kicks off at the beginning of August. Johansen noted that Google provided Whitehat with a cr-48 Chromebook powered by ChromeOS to test security and see if there were any risks.
"We were successful pretty quickly," Johansen said.
"The exploits look different since the target is not your hard drive or CPU power, the target is your information," Johansen said.
According to Johansen, the risk to ChromeOS comes by way of Chrome Extensions and Chrome apps which he sees as been analogous to mobile apps for a smartphone. Users don't install just any software they want on ChromeOS, they install specific apps that extend the functionality of the browser.
Those apps, get permissions to a users ChromeOS and its associated cloud profile. Johansen explained that each app asks for permissions form a user first, in the same manner as mobile apps do. He noted that most users simply allow the app to download without much thought about the permissions request.
"I see a new attack surface here, it's a total web hackers dream," Johansen said. "This is a very target rich environment."
The risk is that a Chrome app gets permissions that it is then able to leverage to do some kind of malicious activity. One such example noted by Johansen has to do with the Scratchpad notetaking app that is installed by default with a ChromeBook. The permissions in ScratchPad enable it to auto-sync with a users Google Docs account.
The problem with that according to Johansen is that Google Docs lets users share documents with others without first asking the receiving user if they want the document or not. Johnsen noted that when using ScratchPad the user is logged in and authenticated to Google. That loophole could have potentially been exploited by an attacker to embed or share a malicious link that could steal credentials, history or other user information.
While wide open permission in an extension can be trouble, Johansen noted that damage can be done with minimal permissions as well.
Overall, though the ChromeOS represents a different paradigm for hardware, Johansen said that from a security perspective the same web applications risks that have existed since the beginning of the Internet are still a concern.
"Extensions are mini web application and we're attacking them via web application techniques that we've been using for years," Johansen said. "Cross Site Scripting is the most widespread attack on the web and we're utilizing it in ways we haven't seen before on the browser extension trust model."