With the Black Hat security conference going on right now, it’s the season for new hacks. Although, we didn’t really expect Google’s cloud-based Chrome OS to be a star this year. Google highlighted the increased security of Chrome OS when it was announced, but a team of security researchers has managed to use web tools to gain access to user data.
Matt Johanson and Kyle Osborn spent a few months looking at Chrome OS, eventually finding a flaw in the ScratchPad extension included on ever ChromeBook. ScratchPad is used to take notes and save them to the cloud. The exploit allows the hacker to access a user’s cloud data like Gmail, contacts, Docs, and Google Voice messages. Google has been working on improving security in Chrome extensions, so hopefully this type of attack won’t be repeated.
Johanson and Osborn demoed the hack live on stage. Despite the gasps of the assembled crowd, many researchers are not surprised. They worry that the use of techniques like XSS and clickjacking will result in more exploits in Chrome OS. Do you think the lack of a real on-disc operating system will make Chrome users more secure, or is this just the beginning?