Tuesday, 9 August 2011

ChromeOS Vulnerabilities

ChromeOS Vulnerabilities

As the ChromeOS fan base grows, so does the market share of malware. Since ChromeOS is based solely on a browser, malware writers focus their attacks into malicious extensions for Chrome. Take example from Scratchpad, one of the apps that comes pre-installed with ChromeOS and the vulnerability that was found in it, known as open permission.

A quote from Kyle Osborn at the Defcon 19 Conference.

Because it has access to all sub-domains under Google.com, this could include your contacts or Voice account. An exploit could export your entire contact list as a CSV," he said, simply because you were using a Google-written app.

Through the use of a tested malicious app installed into ChromeOS, they were able to forcefully download an app of their choosing, and because everything is synced to a users Google account, there is no defense wall to bypass.

Don't get me wrong, the security in ChromeOS is much tigher than other OS's but the attacks are shifting from the everyday malware we see in Windows to web based attacks.

The only downside is how this system turns the end user into the firewall basically. When installing apps, it still shows what information that apps accesses, but not everyone reads that, infact the majority of people wont read it and will just skip the small print to install the app.

A writeup on the Chromium blog can be found here about developing apps more safely: http://goo.gl/lzH5Q

No comments:

Post a Comment