14 DAY TRIAL // Security researchers have identified vulnerabilities in Chrome OS extensions that allow attackers to steal sensitive data and access the victim's accounts.
According to Reuters, researchers Matt Johansen and Kyle Osborn of WhiteHat Security originally discovered the hole in a Chrome OS note-taking application.
Google fixed the problem earlier this year and paid the researchers $1,000 through its security reward program, however, the two experts have since identified the same type of vulnerability in multiple Chrome extensions.
Google flaunts Chrome OS systems as more secure than regular PCs because they lack many attack vectors and benefit from additional security layers like sandboxing and integrity checks.
However, as a Web-oriented operating system, Chrome OS is dependent on extensions and apps for additional functionality and that by itself exposes a large attack surface.
Surf through the extension collection on the Chrome Web Store and you'll notice that many of them come with a warning that reads "This extension can access: Your data on all websites."
In case you've never paid attention to this, know that you're not alone. Most users don't, and that's because most extensions that do something useful require this permission.
According to Google's own documentation, by installing such an extension you agree that "This item can read every page that you visit -- your bank, your web email, your Facebook page, and so on."
"Caution: Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites," the Chrome web store help entry also adds.
Wait, what? Yes, you've read that right. Installing an extension gives it access to pretty much everything you do online, a rather big commitment that most people don't realize.
And remember, these extensions are not coded by Google. They're not subject to rigurous code reviews and are not heavily scrutinized before being made available on the Chrome web store.
As a result, they can and most likely do contain exploitable vulnerabilities that can give attackers access to your entire web browsing experience and more.
The two WhiteHat Security researchers plan to demonstrate this at the Black Hat security conference later this year and their presentation will probably help raise awareness to the problem.
However, since it's a design flaw, there is no easy fix. In the meantime, users are strongly advised to seriously reconsider the necessity of every extension they installed or plan to install.