Chrome OS is Google's approach to computing with an emphasis on its security. Applications on the Web users won't run out-of-date software, leaving them open to security vulnerabilities. The system is automatically updated, and little stored on the user's computer. Malicious software trying to get into a Chrome computer, will find Google can remotely restore the operating system to its pristine state, making it less vulnerable to viruses and other threats.

But reports Technology Review White Hat Security researchers, Matt Johansen (left) and Kyle Osborn (right) , from the Web application security company demonstrate that moving to the Web comes with its own set of dangers.

"There is no access to the hard drive, but we don't care," says Johansen. "We're after information. We're not trying to build a botnet on your Chromebook."

Using common hacking techniques the researchers were successful cross-site scripting which involves injecting a Web page with code that runs in the browsers of visitors to the site.

The code then performs malicious tasks on those visitors' machines. ChromeOS is designed to limit the damage this technique could cause. It does this via a technique called sandboxing, which is meant to prevent what's happening in one browser tab from affecting another. Johansen and Osborn used cross-site scripting to attack ChromeOS's browser extensions, which typically add new functionality.

ChromeOS extensions are more powerful than those in other browsers, and not subject to the same sandbox rules as browser tabs. They exist, in part, to provide functions that affect multiple tabs. "You're talking a super pared-down version of the operating system," says Osborn, "and they're trying to rebuild functionality through extensions."

Finding that xtensions can get broad access to what's going on in users' browser tabs these could be used to steal usernames, passwords, cookies, browsing history information, including information that comes from sites that don't have vulnerabilities themselves.

Many existing extensions had broad permissions, and were vulnerable to cross-site scripting and the team showed it was possible to build malicious extensions disguised, for example, as ways to get images.
This threat cannot be blocked because anyone can make an extension, and Google doesn't review them before making them available to users. There are nearly always going to be some extensions with security vulnerabilities, offering hackers a way to bypass the othe solid protections of ChromeOS.

The researchers were even able to steal data from pass word management system LastPass, by taking over a different extension, using it to open new tabs that allowed them to see the password information that LastPass inserted.

Google has fixed the problems with its own extensions, and is contacting extension makers who may be able to help.  But moving the computing experience entirely to the Web may solve one set of security problems while opening up a Pandora's box of new ones.