LAS VEGAS -- Flaws in Google Chrome extensions could enable attackers to steal account credentials, hijack browser sessions and virtually take over a victim’s computer without their knowledge, according to two researchers
Demonstrated vulnerabilities in Chromebooks
In a presentation at Black Hat 2011, Matt Johansen and Kyle Osborn of Santa Clara Calif.-based WhiteHat Security, demonstrated ways cybercriminals can use extensions by targeting cross-site scripting (XSS) vulnerabilities, a common Web-application coding error frequently targeted by attackers. The issue could have a wide-ranging impact on Google Chromebook users, who must rely on Chrome extensions to access documents and other information.
“The software security model we’ve been dealing with for decades now has been reframed,” Johansen said. “It’s moved into the cloud and if you’re logged into bank, social network and email accounts, why do I care what’s stored in your hard drive?”
Google has touted its new Chromebook platform as the next generation of computing. Chrome extensions are Web applications that can be used inside the Chrome browser to extend its functionality and ultimately make it more useful as the foundation of Google’s Web-centric OS. Users can browse a repository of extensions, which add functionality to the browser.
RSS Readers, mail notifiers and note takers – virtually anything that takes input from somewhere and displays it to the user is at risk here. We don’t care about access to a victim’s hard drive and what’s in there; XSS gives hackers everything we could ask for and more.
WhiteHat Security Inc.
While the Chrome browser has a sandboxing security feature to prevent an attack from accessing critical system processes, Chrome extensions are an exception to the rule. They can communicate among each other, making it fairly easy for an attacker to jump from a flawed extension to steal data from a secure extension.
Johansen and Osborn, who were asked by Google to find vulnerabilities in a beta version of a Chromebook laptop, said the issues they’ve identified can still be carried out against many Chrome extensions – many of which are created by third-party developers. The attacks take advantage of Web application vulnerabilities that have been used for years.
Chromebook security: Techniques attack Chrome extensions
During their Black Hat presentation, the two researchers showed an issue in one extension, which enabled them to target a second extension. They demonstrated the technique against a browser extension in a popular password-storage service, LastPass, from the company of the same name. They exploited a XSS vulnerability in an extension to steal passwords and take full control of a victim’s LastPass account, even though LastPass had no security vulnerability. The technique involved stealing the session cookie and hijacking the victim’s access to the password-storage service.
“RSS Readers, mail notifiers and note takers – virtually anything that takes input from somewhere and displays it to the user is at risk here,” Johansen said. “We don’t care about access to a victim’s hard drive and what’s in there; XSS gives hackers everything we could ask for and more.”
Third-party developer responsibilities
The problem lies in Chrome extension permissions set by third-party developers. Permissions enable an extension to tap into Web-based repositories, such as Google Docs or a third-party website, to access data. For example, banking extensions are required to access the bank’s servers to get information. An RSS feed reader extension may be a major issue, the researchers said, because an RSS reader is required to have permission to access nearly every potential domain. Using the technique outlined by the WhiteHat researchers, an attacker can hack into the repositories to steal data.
The onus may be on third-party extension developers to correct vulnerabilities and eliminate unneeded permissions. Google’s repository has no code review process, so it is up to the user’s discretion to decide whether an extension requests too many permissions.
“So we not only have to worry about the security mindset of developers, but some extensions need wide open permissions to run,” Johansen said. “We’ve seen extensions in the wild that have absolutely wide open permissions.”
Google has corrected an issue with one of its own extensions called ScratchPad, a note-taking application that automatically syncs to the user’s Google account and can be shared with anyone in the user’s Google contact list. The company has also responded to the latest security research in its Chromium Blog, giving developers recommendations on how to make Chrome extensions more secure.
Google also issued the following statement:
“This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.”
Chromebooks are currently available from vendors such as Acer Inc. and Samsung.