And because the vulnerability is present in an extension, such as an RSS reader or mail notifier – and not an individual website – users can be infected anywhere they visit, WhiteHat Security researchers Matt Johansen and Kyle Osborn said Wednesday at the Black Hat conference in Las Vegas.
"Extensions run as mini-websites and have web application vulnerabilities," Johansen said. "Cross-site scripting on an extension can attack the user of any website. That's what makes this so unprecedented."
Last fall, the researchers studied the beta version of the Google CR-48 Chrome OS notebook. While the device is locked down, with nothing stored locally and users being unable to download any code, the pair was able to discover gaping flaws in exensions, which users are permitted to install. Johansen and Osborn exploited bugs to inject malicious JavaScript, which could enable attackers to steal valuable data, such as one's email contents and contacts.
And sandboxing, a technology in Chrome, which isolates each tab in its own process, won't defend against this threat, they said.
The key to the attack is that, many times, Chrome extensions need wide-open permissions to run. Common APIs allow these extensions to access things like bookmarks, cookies and history on a user's machine.
"I don't care about your hard drive," Johansen said. "All I need is JavaScript."
Johansen and Osborn, who were in contact with Google during their research, demonstrated an attack on ScratchPad, a preinstalled note-taking extension. The adversary can share a ScratchPad file, containing injected code, to exfiltrate the contents of a victim's Gmail account, the researchers explained.
In addition, the pair showed how to attack the LastPass online password manager to steal credentials simply by piggybacking on a vulnerable extension, even though LastPass itself is not vulnerable. Joahansen and Osborn said LastPass is not the only flaw-free program that could be susceptible to this style of attack.
The solution, the duo said, is not only to fix vulnerable code, which is the responsibility of the extension developer, but also ensure the extensions are not running with more permissions than they need.
Google has recently released a tip guide that covers secure extension development, including building in more restrictive permissions.
A Google spokesman told SCMagazineUS.com on Wednesday that the issue presented by the researchers is not specific to Chrome.
"This conversation is about the web, not Chrome OS," he said. "Chromebooks raise security protections on computing hardware to new levels."
