Feeds

back to article Researchers poke gaping holes in Google Chrome OS

Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers …

COMMENTS

This topic is closed for new posts.
Silver badge

Probably a naive question

Why aren't these extensions sandboxed from each other?

9
0

(untitled)

Excellent question actually. I had thought that the Goog security model was to give everything its own sandbox so nothing shares.

1
0
Boffin

My guess is....

I've not written Chrome or Firefox extensions before, but I assume they're written in javascript and they require access to the global javascript environment for the tab in which they are active.

While you can isolate extensions that have instances in different tabs, I don't see how you can completely isolate two extension instances that are active for the same tab.

Anyone care to enlighten us?

1
0

I'm surprised

I'm surprised this is a problem, because even if extensions exist in the same environment it is possible to program them in such a way that no other extension can read the data of an other extension.

Just look up Private Members in JavaScript by Crockford, basically you just create your extension data inside of it's own scope.

0
0

Programming 101

What? I don’t have that much experience of Java, but do I understand you correctly that this is a problem because the data definitions are coded outside the main method and are therefore appear as global data???? (or something like that)

Is it a Java problem of a Google Chrome problem?

In either case it looks like a fail of epic proportions for both the developers of the extensions and the Sun/Oracle developers of Java for sloppy programming.

1
4
Stop

JavaScript is not Java

The languages may have a similar name and a superficially similar syntax, but that's all they have in common.

On the subject of JavaScript, encapsulating an extension still can't stop it from accessing global objects such as 'window', which is an absolutely essential part of the browser object model. If two extensions are allowed to run concurrently and if extensions are allowed to access anything about a currently viewed web page, then clearly both must by definition be able to access the same DOM tree and modify it, or place event listeners on parts of it.

This is the problem with JavaScript; it's a mess of single threaded, global based design disasters that cause very serious security headaches if you start using it for anything large scale. There's nothing wrong with the language, apart from people failing to understand that it uses prototypical inheritance rather than classical inheritance; but there's a lot wrong with the way that JS works in a browser when it comes to trying to isolate scripts from one another.

A brief look at the Chrome extensions API shows interfaces for browser windows, visit history, cookies... Are you *sure* that extension you just downloaded hasn't been sending all your cookies off to some shady remote server somewhere?

http://code.google.com/chrome/extensions/cookies.html

Note the "getAll" and "getAllCookieStores" methods. Sure, the manifest needs to specify permissions for that, but we know what users do when an OS asks them about it - "<foo> wants to do <bar>, is that OK?" - "yes".

Check out the Tabs interface while you're there. "executeScript" is my favourite - 'Injects JavaScript code into a page'. What could possibly go wrong?!

You could only truly isolate extensions if they operated entirely within their own JavaScript execution context, but that means not being allowed anywhere near shared global objects; most extensions would become impossible by design and extensions in general would be so restricted as to be next to useless. You may as well just write a web application in that case; the idea of an extension is to extend the system, not just be some isolated stand alone thing - an isolated stand alone thing is called an app.

Being unable to write native code clearly reduces the range of attacks possible on the platform, but claiming that security problems are a thing of the past or trying to punt them off as a 'web problem' is nonsense. Well, it's marketing, which is much the same thing ;-)

Personally, I've adopted the "50 foot barge pole" policy with this particular OS.

3
0

Re: Programming 101

If you read a bit more carefully you will notice that the problem has nothing to do with Java, Sun, Oracle etc. Javascript is a completely different beast. Anyway lazy programming is language and platform independent.

2
0
Silver badge
Boffin

Re: Programming 101

If you can't tell the difference between Java and Javascript put down the computer and go back to McDonalds.

I can't believe people still confuse them after all these years.

0
0
Meh

While this is interesting

...the exploits they are discussing are at the browser level or above, and it's not like these types of issues are unique to the browser in ChromeOS.

When someone rootkits ChromeOS... now *that* will be interesting.

2
0
Gold badge

Re: While this is interesting

"When someone rootkits ChromeOS..."

Why bother? Since ChromeOS forces everyone to keep everything of value in the cloud, the browser is the only thing on the device *worth* exploiting.

3
0
Paris Hilton

Botnets? Persistent keylogging?

Why does anyone rootkit anything?

Not disagreeing, but there must be some good reason why the virus/botnet/rootkit writers spend so much time on that sort of stuff.

0
0

But at least...

they fixed it when it was pointed out to them.

0
0
Thumb Up

And it counts ...

because the fix was automatically pushed to every system. I love that feature.

(And I understand that someone's IE6-based internal Web app may not appreciate security updates at Google's whim ...)

0
0

ChromeOS Running IE?

"(And I understand that someone's IE6-based internal Web app may not appreciate security updates at Google's whim ...)"

Not likely. This is ChromeOS ... it doesn't use IE6 ... it runs within Chrome.

Microsoftians need not worry about a new overlord, just yet.

0
0
Silver badge
Devil

Think out of the cardboard box.

“Whose problem is this to fix? LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”

Then LastPass's approach doesn't make sense in the current setting and a sane situation is out of reach. If security depends on other developers doing the right thing, you are hosed. The browser needs to be fixed, the approach needs to be fixed or scrapped.

It's like with Social Security. You can't afford it. Cuts or more taxes? You still can't afford it. It doesn't make sense - it's economically out of reach.

3
2
Def
Bronze badge
FAIL

Can't afford it?

Just increase your debt limit until you can.

3
0
Stop

Chrome OS in many cases is only as strong as its' weakest extensions.

Isn't that the same as most other OS's?

Most attacks these days against modern OS' expliot 3rd party flaws, not direct attacks against the OS itself (Adobe looking at you).

2
0
Thumb Up

Marketing

True, but Chrome has pushed the security of their Chrome OS. If it's only as bad as more orthodox OSes that's not a particularly impressive marketing message: 'Chrome OS: Not Any More Insecure than Mac or Windows.' That doesn't give you a reason to switch to Chrome OS. It has to be _better_ than what you're currently using.

The public misunderstanding as to information security is worsened by the fact that to most people, the OS is everything that runs on the computer. A Mac isn't just the hardware and base software, but all the applications that run on it. So if a third party flaw allows for an exploit in OS X, people take that as an argument against the claim that 'Macs don't get viruses', because a Mac is a computer, and the computer was compromised. Never mind where the intrusion came from.

Sure, if you don't install anything and lock everything down, your computer is very secure. But Chrome OS needs extensions just like Windows, OS X and Linux need local software packages. Claiming the default installation is secure isn't all that impressive.

Chrome OS isn't really more secure. It's just insecure in a different way.

0
1
WTF?

Call me silly but...

"“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”"

Didn't he answer his own question? If LastPass did everything correctly and the other extension developers developed an extension with a vulnerability in it, doesn't that, by default, make it the other developers' problem to fix?

0
0
Silver badge

Target Improbable

Given that Google are trying to build a new execution environment from (almost) scratch in a very short period of time, it's inevitable that problems are going to be incorporated.

The traditional OSes have been developed over decades and they're still not right yet. What's so special about Google's approach to make it likely that ChromeOS is trouble free in such a short period of time? Personally speaking I won't be touching it with a barge pole.

Google's only motivation for developing ChromeOS is to capture more of the advertising market. They're a commercial, profit driven company just like every other. ChromeOS is a dangerous strategy because it succeeds only if a substantial number of people can be persuaded that it provides a level of service and security above that which is offered by the more conventional platforms (Win/Mac/*nix). It will be difficult to provide such assurances if security researches keep finding massive holes like this. And by going way beyond the scope of other things like Google Docs, gmail, etc. they're taking on a much bigger task and are less likely to succeed.

0
0
Anonymous Coward

For security law enforcement must attack the masterminds

For security law enforcement must attack the masterminds -- the people freely distributing the hacking tools and techniques to anyone.

Any sophisticated system can be hacked -- it is just a matter of time and expertise.

Security only exists when the time it takes to develop the hack is shorter than the time it takes to imprison the hacker.

0
0
Coat

Better the devil you know

Well that is my conclusion. Having spent years playing with Linux flavours, Chrome and the rest, at least with windows it is improving massively yet will never be even 99% secure. So I just accept that despite my best efforts there is always a risk of security breach, and I manage my data accordingly.

By the way, where has the Bill icon gone?!

0
0
Bronze badge

Google spokesmonkey should google "security"

"Chromebooks raise security protections on computing hardware to new levels", quoth your Google spokesperson.

Right. Ignorant about both security *and* non-PC platforms, then, and apparently confused about the distinction between operating system and hardware. I think we can safely disregard anything from that source.

0
0
This topic is closed for new posts.