Google currently considered as the most powerful search engine today. Chrome, Google’s own browser have clearly entered the scene of web browsing and proven to be among the best since it has many features that could rival best of the best out there. As an example, of how good this browser, it has gained its market despite the dominance of Internet Explorer and Mozilla Firefox within a short period. Everyone thinks that chrome OS has no weakness, until recently proven by experts that the browser exposes people’s data for attacks.
During the Black Hat Security USA security conference yesterday, Whitehat Security researchers Matt Johansen and Kyle Osborn talked about numerous Chrome extension-based attack vectors. According to the two, the fundamental design defect is not going to be addressed easily.
Google Chrome OS developed around the web browser Google Chrome. Almost all of its functionality takes place from web-based apps and extensions, available for downloading at their web-based store. However, it also opens the possibilities for an attack.
Anyone surfing through the web store shall notice that there are extensions and apps that have warning signs. All of the extensions and apps can become a security issue.
It will be easy for attackers to come up with a malicious capable of using social engineering to trick users to install it. Particularly, since the Chrome Web Store submission process now automatic.
The extensions allow the attacker to gain access to people’s data. The extensions designed to use credentials (cookies) for requesting data from websites.
The rogue extension is not only the one that poses such security threats. Vulnerable ones pose similar threats. For instance, a cross-site scripting defect in a website can be abused to attack the website, but an XSS weakness in a Chrome extension can be controlled to attack the entire websites that are open in the browser.
Having several people to install a rogue extension can prove not that easy to implement, this limits the possibility of security attack. However, there are a lot more potential victims if one popular extension can be exploited by an attacker.
Senior security advisor at Sophos, Chester Wisniewski says that people should worry about the existing popular extensions that are vulnerable for such attacks. It allows the attacker to seize everything that happens in the browser session.
Wisniewski also added the fact that all the extensions available in the Chrome Web Store not intended for security purposes, making them more vulnerable.
The researchers assert that Google has been open with addressing the problems. However, it is not that easy to fix it as Chrome design complicate things.