Researchers Find Chrome OS Vulnerability
Researchers Find Chrome OS Vulnerability
Posted 08/04/2011 at 2:49pm
| by Ryan Whitwam
7
Comments
Print
With the Black Hat security conference going on right now, it’s the season for new hacks. Although, we didn’t really expect Google’s cloud-based Chrome OS to be a star this year. Google highlighted the increased security of Chrome OS when it was announced, but a team of security researchers has managed to use web tools to gain access to user data.
Matt Johanson and Kyle Osborn spent a few months looking at Chrome OS, eventually finding a flaw in the ScratchPad extension included on ever ChromeBook. ScratchPad is used to take notes and save them to the cloud. The exploit allows the hacker to access a user’s cloud data like Gmail, contacts, Docs, and Google Voice messages. Google has been working on improving security in Chrome extensions, so hopefully this type of attack won’t be repeated.
Johanson and Osborn demoed the hack live on stage. Despite the gasps of the assembled crowd, many researchers are not surprised. They worry that the use of techniques like XSS and clickjacking will result in more exploits in Chrome OS. Do you think the lack of a real on-disc operating system will make Chrome users more secure, or is this just the beginning?
More like this
7
Comments
Comments are closed on this article
yosefhamprey
August 08, 2011 at 8:07pm
Things are not looking very bright for Chrome or droid. Google has to be fast in patching them up.
rstat1
August 04, 2011 at 8:57pm
Guess it's a good thing that Chrome OS isn't a web-based OS. Chrome OS is firmly rooted within the confines of a Chromebook's onboard storage.
Gezzer
August 04, 2011 at 5:48pm
What, they can exploit a web based OS too? We're all Doomed I tell you
Doooooooooooooooooooooommmmmmmmmmmmmmmmmeeddd!
lol, Sorry it's just funy that the crowd "gasped". Any system can be exploited period. It just takes time and a bit of thinking out of the box, but nothings 100% safe.
Still I prefer client based over server based (cloud) every time. You just have a better level of control over everything. Server based systems are great for a lot of applications. An example is a company with a high number of "off site" locations that all need to use the same software systems. Instead of pushing updates you only need to update the server. Easy peasy. Plus all data (which is the companies) is in a central location, much easier to control and back up.
As for consumer use. It's a bit more of a puzzle why it's being hyped so much. For example any of MS's "to the cloud" commercials. Every application shown is easliy done on the computer as opposed to the cloud. And you don't have to use bandwidth for your data as you use the client sided application. As well I guess the "cloud" would be great for a under powered computer. But most of the applications shown are ones that haven't needed more horsepower since the P2 or P3 days. So why? Your new bottle neck becomes your internet connection is all. Yeah, now those are always 100% reliable
Lastly my biggest problem with the "cloud" has to do with data. Who has the right to my data? Me or the server running the cloud application? What if they cache all my data? Do they have the right to use it or share it? What happens to my data if and when they get hacked? A cloud based server would be a much more tempting target then my own system I would think. I mean I do use cloud based services like Drop box, to share data. I just want to pick what I share, not have it potentialy be everything.
I'm just too much of a cynic I guess to totally trust my data to a consumer cloud.
szore
August 05, 2011 at 3:48am
Seems like you've thought it all through pretty good. I agree with all you said.
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy2 days 1 hour ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj2 days 1 hour ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 22 hours ago
