Printed from

Chrome OS vulnerable to rogue add-ons, loose Google policy

updated 08:50 pm EDT, Sat August 6, 2011

Chrome OS exploits uncovered at Black Hat

Chrome OS is vulnerable both to extensions and, to some extent, to Google's own approach to security, WhiteHat Security experts led by Matt Johansen revealed in a presentation at the Black Hat conference this week. Because extensions have to reach outside sites and the OS depends on this code for extra features, it's possible to compromise the OS itself by installing a malicious extension. While not an issue by itself, CNET noted that extensions have shown up in Google's own Chrome Web Store explicitly meant to steal information, and others get deep access that could be misappropriated.

Johansen noted that there didn't appear to be vetting for the extensions in the web store. Although they can be marked as safe, extensions that clearly shouldn't have been on the store were marked as safe.

"We actually saw an extension in the Chrome Web Store called Cookie Stealer that did precisely that," the researcher said. "But hey, it had the checkmark next to it that it was verified safe and secure."

Chrome OS did still have some security elements that gave it advantages, much of which were borrowed from the regular Chrome browser. Tabs are sandboxed from each other to prevent spying on secure data from another tab, browser exploits have to happen locally, and the OS is responsible for its own plugins. Google argued that the vulnerabilities were all about the web, not the OS.

With the web representing virtually the entire OS, though, Johansen noted that there were relatively few layers. Chrome OS has no anti-malware behind what the regular OS itself offers, leaving the owner to make more of the decisions about what content was safe. "The issue of permissions is complicated because it basically turns the end user into a firewall," he said.

By Electronista Staff


  1. Hash

    Mac Elite

    Joined: Apr 2001


    comment title

    OS made by thieves of private information for other thieves of private information

  1. SockRolid

    Forum Regular

    Joined: Jan 2010


    So much for Plan B

    Looking very bad for Android now. The judge handling the Oracle vs. Google case has essentially told the Google legal team that they can't win. It's just a matter of determining damages now, if Oracle is even willing to settle for cash.

    I figured Google could fall back on Chrome. It certainly seemed like they had positioned Chrome to replace Android eventually. But if Google does as bad a job with Chrome as they did with Android, they'll need to fall back to what? Plan C? Good luck with that.

    Read it and weep, Fandroids:

  1. msuper69

    Professional Poster

    Joined: Jan 2000


    Big DUH!

    Unvetted apps allowed in the Android MarketPlace. What do you expect?

    Comment buried. Show
  1. facebook_Tideowave

    Via Facebook

    Joined: Aug 2011



    So windows is still good inspite of it's flaws.

    Comment buried. Show
  1. facebook_Tideowave

    Via Facebook

    Joined: Aug 2011



    So windows is still good inspite of it's flaws.

    Comment buried. Show
  1. Hercules Rockefeller

    Fresh-Faced Recruit

    Joined: Apr 2011


    Can't stop Android

    Apple is desperately trying to kill Android any way they can. They can't compete fairly so they use the court system but nothing can stop Android now. It's killing IOS, WP7, BB and everything else.

  1. climacs

    Mac Enthusiast

    Joined: Sep 2001



    and Apple's stock price sure does reflect the total failure that iOS is...

  1. joecab

    Fresh-Faced Recruit

    Joined: Apr 2004



    They are? What have they done? Apple admits they aren't open, vet their apps, won't allow Flash, and waited years to even add Verizon the iPhone network. That sounds more like someone differentiating themselves. If they wanted to destroy Android by marketshare, they'd litter the marketplace the same way, but that ain't Apple.

    Besides this is business, and they decided to take this battle to the public to whine and get sympathy. Apple is making tons of money sticking to their guns, and Android tablets still are not selling. And if they say Apple bought the patents to destroy them, why do you think Google wanted them? To turn them all open source? Google had someone on Apple's board when the iPhone was being developed, and then magically Google also started developing a phone. And if you think that's coincidence, go stare at the pictures of what Google's phone looked like before 2007 (a BlackBerry) and what it looked like afterwards (an iPhone).

    If Google cared about the patent system, it would have gone about to change it before this incident. It only cared when they couldn't use it to their advantage and someone else beat them to it.

  1. testudo

    Forum Regular

    Joined: Aug 2001


    I'm sure....

    So, Chrome is this massive security hole? And everyone agrees. Gee, if this guy said the same thing about OS X, and it had the same 'issues', we'd hear how this guy was a clown, how he should've told Apple first, how there's been no break-ins, so it is all just theoretical. Assuming he wasn't blasted as being a no-nothing idiot who really doesn't understand security.

    I guess Apple is the only one who gets the benefit of the doubt. Anyone else, it's assumed to be true.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Linksys WRT1200AC Wi-Fi Router

Once upon a time, a brand-new Linksys router showed up on our doorstep. So we gathered some network-minded friends together, and hooke ...

Rapoo A300 Mini Bluetooth NFC Speaker

The Rapoo Bluetooth Mini NFC Speaker is a little metallic box about the size of a baseball. In spite of its small size, we were very p ...

Neurio Intelligent Home Monitor

The recently released Neurio Intelligent Home Monitor is a piece of hardware that, when integrated into a home's breaker box, monitors ...



Most Commented


Popular News