Web extensions to become a new attack vector

Powered by SC Magazine
 

Google Chrome, now less shiny.

A penetration tester has exploted a hole in Google Chrome that granted unauthorised access to gmail accounts.

WhiteHat Security researcher Matt Johansen identified the vulnerability in a Chrome OS note-taking application.

He disclosed the hole to Google which patched it and gave him US$1000 as part of its Chromium security initiative.

Caesar Sengupta

Johansen told Reuters he intercepted data travelling between a Chrome browser extension and the Google cloud.

"I can get at your online banking or your Facebook profile or your email as it is being loaded in the browser," he said.

Google has not yet revealed details of the security hole which Johansen plans to release at the Black Hat conference in Las Vegas this year.

Google extensions, written by third party software developers, were a ripe target for attack because they were granted more privileged access rights to Google cloud data than what the browser offered to web sites.

WhiteHat security detailed in a 2007 research paper (pdf) a series of web application security vulnerabilities that could also be used to attack web browser extensions in Chrome and Mozilla FireFox.

The attack on Google extensions was different to typical exploits that target data residing on hard drives.

"If I can exploit some kind of web application to access that data, then I couldn't care less what is on the hard drive," he said.

But Johansen had since discovered other applications with the same security flaw.

"This is just the tip of the iceberg ... We can see this becoming a whole new field" for malware attacks, he said.

Chrome OS director Caesar Sengupta said there are "significant benefits to security" by storing apps within the browser.

"Unlike traditional operating systems, Chrome OS doesn't trust the applications you run. Each app is contained within a security sandbox making it harder for malware and viruses to infect your computer."

"Furthermore, Chrome OS barely trusts itself. Every time you restart your computer the operating system verifies the integrity of its code. If your system has been compromised, it is designed to fix itself with a reboot.

"While no computer can be made completely secure, we're going to make life much harder and less profitable for the bad guys."

Copyright © SC Magazine, Australia


Web extensions to become a new attack vector
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 416

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 195

Vote