Google believes that their ChromeOS secured than most operating system available for the personal computer today. However, security agency Whitehat denies that ChromeOS secured.
Security researcher for WhiteHat Security, Matt Johansen shares some flaws about ChromeOS as a sample for what people could expect from the upcoming Blackhat security conference in Las Vegas. Johansen tells everyone that Google provided them with a cr-48 Chromebook, which has the operating system ChromeOS so that they could find any lack of security in the operating system. They are able to hack the system within a short-time.
ChromeOS differs from other operating system since the data can be found on the cloud. ChromeOS would be harder to be hack than most OS.
According to Johansen, they exploited the system using a different strategy not used by hackers.
He believes it that it would work just like in the case of smartphones’ malware installed into the device. Users would want to install an application to ChromeOS to max out the capabilities of the OS.
Upon installation, the apps get permission from the user to access data stored on cloud. Although, there is a safety program that ask the user if they would want the application to be stored into the system, some users never think about it and just agrees on installing the device.
The risk started once the app gets authorization from user that it could now access the data in the cloud server and do malicious activity. A good example would be the Scratchpad notetaking app, installed in the ChromeOS as it got installed into the computer. There is a go-ahead signal for the ScratchPad to auto-sync with a users Google Docs account.
The problem with having Google Doc is that Google Docs allow its users to share documents with other users, but lacks the ability to ask the receiving user if they want the document or not. Once Scratchpad running, Google authenticates the logged user, a loop-hole that can be detected and taken advantage of by hackers. The attacker would then embed or share a malicious link that could steal credentials, history or other important data.
As the wide open permission means trouble, it does not mean that the damage cannot be done without permission, as well.
Operating system using hard drive and OS using cloud in storing the data faces the same security risk. As all operating system vulnerable from attacks online.
In the last part of the conversation, Johansen said that they exploited the extension to attack the OS.