* Chrome PCs vulnerable to attack via Internet-researchers
* Weak link is Web-connected apps that run in browser
By Jim Finkle
BOSTON, June 29 Google Inc (GOOG.O) brags that
computers running its recently released Chrome operating system
are a lot safer than traditional PCs, partly because user data
is stored in the Internet cloud and not on the machine.
Yet researchers at an independent computer security firm
warn that the Chrome PC's reliance on Web computing makes it
vulnerable to the same attacks that hackers have been launching
on websites and Web browsers for years.
Matt Johansen, a researcher with WhiteHat Security, said he
identified a flaw in a Chrome OS note-taking application that
he exploited to take control of a Google email account. He
reported it to Google, which fixed the problem and gave him a
$1,000 reward for pointing it out.
Johansen said he has since discovered other applications
with the same security flaw.
"This is just the tip of the iceberg," he told Reuters.
"This is just evolving around us. We can see this becoming a
whole new field of malware."
Google is betting that the launch of its Web-centric Chrome
OS PCs will help reshape the the decades-old personal computer
industry, challenging entrenched players such as Microsoft Corp
(MSFT.O) and Apple Corp (AAPL.O). The first Chrome PC laptop,
from Samsung, went on sale earlier this month. Early reviews
have been mixed, with some influential technology hands noting
that the concept of an always-Internet-connected PC may be
ahead of its time and not ideal for mainstream users.
One key to hacking Chrome OS is to capture data as it
travels between the Chrome browser and the cloud, Johansen
said. Hackers have until now mostly targeted data that sits on
a machine's hard drive.
"I can get at your online banking or your FaceBook profile
or your email as it is being loaded in the browser," he said.
"If I can exploit some kind of Web application to access that
data, then I couldn't care less what is on the hard drive."
Johansen declined to identify the applications with the
security bugs. He and colleague Kyle Osborn are holding back
that information for a presentation at Black Hat, a prestigious
hacking conference to be held this August in Las Vegas.
Those applications belong to a class of software programs
known as "extensions," which users download from the Google
Chrome Web Store. Extensions are essentially applications that
run inside browsers
The bulk of Chrome OS extensions are written by independent
software developers, not by Google.
Johansen said the problem with the extensions is related to
a design flaw in Google Chrome OS: the operating system gives
extensions sweeping rights to access data stored on the cloud.
"Chrome is trusting these extensions more than it would be
trusting just another website," he said.
Executives at Google said they are looking to improve
procedures that screen extensions for vulnerabilities before
clearing them for the Chrome Web Store.
Caesar Sengupta, director of Chrome OS, said the company
was exploring "various ways" of trying to automatically tag
questionable extensions. Yet he said that Google did not want
to make it onerous for developers to get their extensions
distributed through the marketplace.
"We are trying to create a system that -- like the Web --
is open," he said.
Alex Stamos, a security expert with iSec Partners who
helped develop the security system for Chrome OS, said that it
would be unfair to condemn the overall security of the new
operating system just because of the issues cited by the
"While things might not be perfect, we are talking about a
much more controlled and secure environment than you have on
Windows and Mac PCs," he said.
For information on the Black Hat conference, see
(Reporting by Jim Finkle; Additional reporting by Alexei
Oreskovic; Editing by Gary Hill)