* Chrome PCs vulnerable to attack via Internet-researchers
* Weak link is Web-connected apps that run in browser
By Jim Finkle
BOSTON, June 29 (Reuters) - Google Inc (GOOG.O) brags that computers running its recently released Chrome operating system are a lot safer than traditional PCs, partly because user data is stored in the Internet cloud and not on the machine.
Yet researchers at an independent computer security firm warn that the Chrome PC's reliance on Web computing makes it vulnerable to the same attacks that hackers have been launching on websites and Web browsers for years.
Matt Johansen, a researcher with WhiteHat Security, said he identified a flaw in a Chrome OS note-taking application that he exploited to take control of a Google email account. He reported it to Google, which fixed the problem and gave him a $1,000 reward for pointing it out.
Johansen said he has since discovered other applications with the same security flaw.
"This is just the tip of the iceberg," he told Reuters. "This is just evolving around us. We can see this becoming a whole new field of malware."
Google is betting that the launch of its Web-centric Chrome OS PCs will help reshape the the decades-old personal computer industry, challenging entrenched players such as Microsoft Corp (MSFT.O) and Apple Corp (AAPL.O). The first Chrome PC laptop, from Samsung, went on sale earlier this month. Early reviews have been mixed, with some influential technology hands noting that the concept of an always-Internet-connected PC may be ahead of its time and not ideal for mainstream users.
One key to hacking Chrome OS is to capture data as it travels between the Chrome browser and the cloud, Johansen said. Hackers have until now mostly targeted data that sits on a machine's hard drive.
"I can get at your online banking or your FaceBook profile or your email as it is being loaded in the browser," he said. "If I can exploit some kind of Web application to access that data, then I couldn't care less what is on the hard drive."
Johansen declined to identify the applications with the security bugs. He and colleague Kyle Osborn are holding back that information for a presentation at Black Hat, a prestigious hacking conference to be held this August in Las Vegas.
Those applications belong to a class of software programs known as "extensions," which users download from the Google Chrome Web Store. Extensions are essentially applications that run inside browsers
The bulk of Chrome OS extensions are written by independent software developers, not by Google.
Johansen said the problem with the extensions is related to a design flaw in Google Chrome OS: the operating system gives extensions sweeping rights to access data stored on the cloud.
"Chrome is trusting these extensions more than it would be trusting just another website," he said.
Executives at Google said they are looking to improve procedures that screen extensions for vulnerabilities before clearing them for the Chrome Web Store.
Caesar Sengupta, director of Chrome OS, said the company was exploring "various ways" of trying to automatically tag questionable extensions. Yet he said that Google did not want to make it onerous for developers to get their extensions distributed through the marketplace.
"We are trying to create a system that -- like the Web -- is open," he said.
Alex Stamos, a security expert with iSec Partners who helped develop the security system for Chrome OS, said that it would be unfair to condemn the overall security of the new operating system just because of the issues cited by the WhiteHat researchers.
"While things might not be perfect, we are talking about a much more controlled and secure environment than you have on Windows and Mac PCs," he said.
For information on the Black Hat conference, see www.blackhat.com. (Reporting by Jim Finkle; Additional reporting by Alexei Oreskovic; Editing by Gary Hill)