back to article Researchers poke gaping holes in Google Chrome OS

Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers …


This topic is closed for new posts.
  1. Gordon 10

    Probably a naive question

    Why aren't these extensions sandboxed from each other?

  2. Bill Gould


    Excellent question actually. I had thought that the Goog security model was to give everything its own sandbox so nothing shares.

  3. YARR

    My guess is....

    I've not written Chrome or Firefox extensions before, but I assume they're written in javascript and they require access to the global javascript environment for the tab in which they are active.

    While you can isolate extensions that have instances in different tabs, I don't see how you can completely isolate two extension instances that are active for the same tab.

    Anyone care to enlighten us?

    1. SilentLennie

      I'm surprised

      I'm surprised this is a problem, because even if extensions exist in the same environment it is possible to program them in such a way that no other extension can read the data of an other extension.

      Just look up Private Members in JavaScript by Crockford, basically you just create your extension data inside of it's own scope.

      1. Field Marshal Von Krakenfart

        Programming 101

        What? I don’t have that much experience of Java, but do I understand you correctly that this is a problem because the data definitions are coded outside the main method and are therefore appear as global data???? (or something like that)

        Is it a Java problem of a Google Chrome problem?

        In either case it looks like a fail of epic proportions for both the developers of the extensions and the Sun/Oracle developers of Java for sloppy programming.

        1. Andrew Hodgkinson

          JavaScript is not Java

          The languages may have a similar name and a superficially similar syntax, but that's all they have in common.

          On the subject of JavaScript, encapsulating an extension still can't stop it from accessing global objects such as 'window', which is an absolutely essential part of the browser object model. If two extensions are allowed to run concurrently and if extensions are allowed to access anything about a currently viewed web page, then clearly both must by definition be able to access the same DOM tree and modify it, or place event listeners on parts of it.

          This is the problem with JavaScript; it's a mess of single threaded, global based design disasters that cause very serious security headaches if you start using it for anything large scale. There's nothing wrong with the language, apart from people failing to understand that it uses prototypical inheritance rather than classical inheritance; but there's a lot wrong with the way that JS works in a browser when it comes to trying to isolate scripts from one another.

          A brief look at the Chrome extensions API shows interfaces for browser windows, visit history, cookies... Are you *sure* that extension you just downloaded hasn't been sending all your cookies off to some shady remote server somewhere?

          Note the "getAll" and "getAllCookieStores" methods. Sure, the manifest needs to specify permissions for that, but we know what users do when an OS asks them about it - "<foo> wants to do <bar>, is that OK?" - "yes".

          Check out the Tabs interface while you're there. "executeScript" is my favourite - 'Injects JavaScript code into a page'. What could possibly go wrong?!

          You could only truly isolate extensions if they operated entirely within their own JavaScript execution context, but that means not being allowed anywhere near shared global objects; most extensions would become impossible by design and extensions in general would be so restricted as to be next to useless. You may as well just write a web application in that case; the idea of an extension is to extend the system, not just be some isolated stand alone thing - an isolated stand alone thing is called an app.

          Being unable to write native code clearly reduces the range of attacks possible on the platform, but claiming that security problems are a thing of the past or trying to punt them off as a 'web problem' is nonsense. Well, it's marketing, which is much the same thing ;-)

          Personally, I've adopted the "50 foot barge pole" policy with this particular OS.

        2. diadomraz

          Re: Programming 101

          If you read a bit more carefully you will notice that the problem has nothing to do with Java, Sun, Oracle etc. Javascript is a completely different beast. Anyway lazy programming is language and platform independent.

        3. Dave Murray

          Re: Programming 101

          If you can't tell the difference between Java and Javascript put down the computer and go back to McDonalds.

          I can't believe people still confuse them after all these years.

  4. Anonymous Coward

    While this is interesting

    ...the exploits they are discussing are at the browser level or above, and it's not like these types of issues are unique to the browser in ChromeOS.

    When someone rootkits ChromeOS... now *that* will be interesting.

    1. Ken Hagan Gold badge

      Re: While this is interesting

      "When someone rootkits ChromeOS..."

      Why bother? Since ChromeOS forces everyone to keep everything of value in the cloud, the browser is the only thing on the device *worth* exploiting.

      1. Anonymous Coward
        Paris Hilton

        Botnets? Persistent keylogging?

        Why does anyone rootkit anything?

        Not disagreeing, but there must be some good reason why the virus/botnet/rootkit writers spend so much time on that sort of stuff.

  5. Wisteela

    But at least...

    they fixed it when it was pointed out to them.

    1. xantastic
      Thumb Up

      And it counts ...

      because the fix was automatically pushed to every system. I love that feature.

      (And I understand that someone's IE6-based internal Web app may not appreciate security updates at Google's whim ...)

      1. Stupidscript

        ChromeOS Running IE?

        "(And I understand that someone's IE6-based internal Web app may not appreciate security updates at Google's whim ...)"

        Not likely. This is ChromeOS ... it doesn't use IE6 ... it runs within Chrome.

        Microsoftians need not worry about a new overlord, just yet.

  6. Destroy All Monsters Silver badge

    Think out of the cardboard box.

    “Whose problem is this to fix? LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”

    Then LastPass's approach doesn't make sense in the current setting and a sane situation is out of reach. If security depends on other developers doing the right thing, you are hosed. The browser needs to be fixed, the approach needs to be fixed or scrapped.

    It's like with Social Security. You can't afford it. Cuts or more taxes? You still can't afford it. It doesn't make sense - it's economically out of reach.

    1. This post has been deleted by its author

  7. Anonymous Coward

    Chrome OS in many cases is only as strong as its' weakest extensions.

    Isn't that the same as most other OS's?

    Most attacks these days against modern OS' expliot 3rd party flaws, not direct attacks against the OS itself (Adobe looking at you).

    1. Anonymous Coward
      Thumb Up


      True, but Chrome has pushed the security of their Chrome OS. If it's only as bad as more orthodox OSes that's not a particularly impressive marketing message: 'Chrome OS: Not Any More Insecure than Mac or Windows.' That doesn't give you a reason to switch to Chrome OS. It has to be _better_ than what you're currently using.

      The public misunderstanding as to information security is worsened by the fact that to most people, the OS is everything that runs on the computer. A Mac isn't just the hardware and base software, but all the applications that run on it. So if a third party flaw allows for an exploit in OS X, people take that as an argument against the claim that 'Macs don't get viruses', because a Mac is a computer, and the computer was compromised. Never mind where the intrusion came from.

      Sure, if you don't install anything and lock everything down, your computer is very secure. But Chrome OS needs extensions just like Windows, OS X and Linux need local software packages. Claiming the default installation is secure isn't all that impressive.

      Chrome OS isn't really more secure. It's just insecure in a different way.

  8. BinaryFu

    Call me silly but...

    "“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”"

    Didn't he answer his own question? If LastPass did everything correctly and the other extension developers developed an extension with a vulnerability in it, doesn't that, by default, make it the other developers' problem to fix?

  9. bazza Silver badge

    Target Improbable

    Given that Google are trying to build a new execution environment from (almost) scratch in a very short period of time, it's inevitable that problems are going to be incorporated.

    The traditional OSes have been developed over decades and they're still not right yet. What's so special about Google's approach to make it likely that ChromeOS is trouble free in such a short period of time? Personally speaking I won't be touching it with a barge pole.

    Google's only motivation for developing ChromeOS is to capture more of the advertising market. They're a commercial, profit driven company just like every other. ChromeOS is a dangerous strategy because it succeeds only if a substantial number of people can be persuaded that it provides a level of service and security above that which is offered by the more conventional platforms (Win/Mac/*nix). It will be difficult to provide such assurances if security researches keep finding massive holes like this. And by going way beyond the scope of other things like Google Docs, gmail, etc. they're taking on a much bigger task and are less likely to succeed.

  10. Anonymous Coward
    Anonymous Coward

    For security law enforcement must attack the masterminds

    For security law enforcement must attack the masterminds -- the people freely distributing the hacking tools and techniques to anyone.

    Any sophisticated system can be hacked -- it is just a matter of time and expertise.

    Security only exists when the time it takes to develop the hack is shorter than the time it takes to imprison the hacker.

  11. Anonymous Coward

    Better the devil you know

    Well that is my conclusion. Having spent years playing with Linux flavours, Chrome and the rest, at least with windows it is improving massively yet will never be even 99% secure. So I just accept that despite my best efforts there is always a risk of security breach, and I manage my data accordingly.

    By the way, where has the Bill icon gone?!

  12. Michael Wojcik Silver badge

    Google spokesmonkey should google "security"

    "Chromebooks raise security protections on computing hardware to new levels", quoth your Google spokesperson.

    Right. Ignorant about both security *and* non-PC platforms, then, and apparently confused about the distinction between operating system and hardware. I think we can safely disregard anything from that source.

This topic is closed for new posts.

Other stories you might like