Google Chrome OS Hacked Using ScratchPad App

In a preview of a demonstration at the upcoming Black Hat security conference, a security researcher demonstrated how browser extensions can be used to compromise Chrome OS.

The Chrome extension ScratchPad had a wide range of permissions that made it vulnerable to a cross-site scripting attack, Matt Johansen, an application security specialist at WhiteHat Security, said July 14 in a preview of a presentation he will be making at Black Hat.

Johansen did his work on the Google CR-48 Beta laptop released last fall, but said malicious extensions would affect any device running Chrome OS, whether it is the CR-48 or the Chromebook.

He noted WhiteHat Security was able to “abuse” the Chrome OS “pretty quickly”.

Exploit Based On ScratchPad Weakness

Johansen used ScratchPad, a preinstalled extension that allows users to take notes and auto-sync the note files with Google Docs in the “ScratchPad” folder, in his preview. The extension had a “quote-unquote feature” that allowed users to share ScratchPad folders without requesting any user permissions, Johansen said.

In his demonstration, a friend shared a folder containing a note with malicious code, which was then accessible on the CR-48 through the ScratchPad extension. Once the note was opened, the note was able to then steal all his contacts saved in Gmail because he was already logged into Google’s services.

Google patched this specific flaw in the ScratchPad extension after being notified by Johansen. He found similar problems in other extensions but did not mention which ones, although promising his listeners that he had a few more “tricks up his sleeve” to reveal at Black Hat.

Applications are turning out to be the most common attack vectors for mobile devices but, on a Web-based operating system like Chrome OS, the attacks will come from extensions, Johansen said. Extensions are applications available from the Google Chrome Web store that run in the browser and allow users to access cloud services. While they are similar to Web browser extensions, Chrome OS extensions are far more powerful.

Similar to mobile apps, extensions rely on permissions to gain access to various capabilities and features. The key difference is that mobile apps require permission from the user to access those features while permissions for the Chrome OS extension are set and defined by the developer, Johansen said.

New Attack Surface

Noting that the bulk of Chrome OS extensions will be written by independent software developers, extensions represent a “new attack surface”, Johansen said. Users now need to worry about the “security mindset” of the development team behind the extension before downloading.

“Security vulnerabilities are bound to be plentiful,” Johansen said, calling Chrome OS a “target-rich environment”.

Google has been claiming for some time that PCs running on Web-centric Chrome OS are safer than other computers and will reshape the traditional PC industry. Johansen did not say that Chrome OS is not secure in his presentation, carefully noting that the company has done a great job with overall security in the Web-based operating system.

The focus on cloud-based storage and applications means that a majority of threats are automatically eliminated because malware cannot be downloaded onto the machine. Chrome OS protects users from the “usual suspects”, Johansen said.

Instead of targeting the data stored on the machine’s hard drive, malicious attackers will increasingly target applications that send data between the Chrome browser and the cloud service, Johansen said.

Johansen and colleague Kyle Osborn will demonstrate other ways to hack Chrome OS at Black Hat, which will be held on August 3-4 in Las Vegas, Nevada.