11 Aug 2011

Chrome extensions make operating system vulnerable

Computer security specialists Matt Johansen and Kyle Osborn announced at this week's Black Hat conference in Las Vegas that hackers can exploit web applications called extensions to hack Google's internet-based Chrome operating system.

By running Chrome OS through the web rather than computers' hard drives, Google eliminated certain security issues, such as machines running out-of-date OS software. But applications called extensions downloaded to add functionalities to the operating system are vulnerable to cross-site scripting attacks, Johansen and Osborn said, because extensions often require broad access to a computer's web browser in order to perform their functions.

While these attacks will not infect a computer's hard drive like other intrusions, they can still glean sensitive user information posted online, including usernames, passwords and financial data, the researchers said.

Adding to the danger, Google does not evaluate the extensions available to users on its Chrome Web Store, making it easy for a cyber criminal to post a malicious extension and lure users into downloading it. To demonstrate how unregulated the web store is, Osborn uploaded then took down an extension he labeled "Malicious Extension," Information Week reports.

Google operates a similar store for mobile applications that run on its Android platform. In the last few months, the company has removed dozens of malicious apps from the store and from users' mobile devices.