Extensions Google Chrome vulnerabilities an attacker to steal account credentials and hijack browser sessions, say they take the victim's computer without their knowledge of WhiteHat Security Inc. "According to the researchers, could enable the two Chromebook security errors. Chromebook, Google Chrome the operating system, based on the new Web-based laptop / netbook platform functionality is based on extensions.
Vulnerability found Chromebooks
Black Hat 2011, Johansen and Matt Kyle Osborn of Santa Clara, Calif.-based WhiteHat Security, a cyber-criminals to the delivery of cross-site scripting (XSS), found ways to use extensions to indicate the error global web applications coding by the attackers frequently. Google users Chromebook may have an effect on the broader subject; it must rely on extensions for Chrome to access documents and other information.
"We tried for years as a model for security software was re-evaluated," said Johansen. "Why should you what is stored on the hard drive, and he was transferred to the bank cloud, social networks and whether the registered e-mail accounts?”
Google, as a new generation of computers has encouraged Chromebook platform. Extend the functionality of Google Chrome extensions, and by the end of the operating system web-based to be more useful as a basis for the Chrome browser is available in Web applications. Users can navigate through warehouse extensions that add functionality to the browser.
Chrome sandboxing access to critical system processes to prevent an attack, a security feature, however, Chrome extensions are an exception. They are fairly easy; secure an extension of an attacker to steal data for the construction of a fault length of the jump can communicate with each other.
Johansen and a laptop Chromebook Osborn was asked by Google to find vulnerabilities in the beta may be brought against the said extensions for Chrome still many problems have been identified - many of which are created by third-party developers. The attacks exploit vulnerabilities in Web applications are used for many years.
Chromebook Safety: Techniques to attack Chrome extensions
Black Hat presentation, the two researchers enabled them to define an extension of the second extension, showed the problem. Tech is a popular storage service password LastPass, the company with the same name was shown against an extension of the browser. While no security vulnerability that LastPass steal passwords, and the victim, taking full account LastPass control XSS exploits vulnerability in an extension. Technical session cookie and password storage is to steal the victim's access to the abduction.
"RSS reader, email notification, and laptops - and finds himself in a place that shows what the user in question about it," said Johansen. "The victim is and how to access the hard disk, do worry, all the hacker may want to cross-site scripting is more.”
Worse still, the cattle to the operation of a browser frame, can help to automate attacks by cybercriminals. Meat, used by security experts from a legitimate source open, can be injected into a sensitive area, the victim and the aggressor will be executed in the context Chromebook JavaScript executes the malicious code.
Responsibilities of third-party developers
The problem is, third-party developers, Chrome is determined by the permissions of the. Allow Google Docs, or third party website to access data as custodian’s web to build an extension to provide. For example, banks are required to access servers that are extensions of the store. An extension RSS reader can be a big problem, according to researchers, an RSS reader, because you must have access to almost all possible fields. WhiteHat researchers using the technique described by an attacker to steal data stores can enter.
Responsibility to correct vulnerabilities and eliminate unnecessary permissions can be with third-party developers. Warehouse with the process of code review Google, no decision of this decision, the authorized user too, so if and extension request.
"So you just worry about the vision of security developers, however, some extensions are not allowed to run wide open," said Johansen. "We saw everything in nature extensions of open licenses."
Google Answers
Google, the notebook known as one of its extensions automatically synchronizes the user's Google Account and your Google contact list, the user can be shared with anyone who has identified a problem with note-taking application. The company also offer suggestions for developers of extensions to be sure, Chrome, Chrome on his blog, responded to the latest research related to safety.
Google has also made the following statement:
"This speech is not the web with Chrome. Chromebooks increased protection to new levels of hardware. Also discuss the attacks can affect a computer equipped for better Web browsers device, Chrome is a carefully designed model can be used on many users and experts, and partly thanks to improved security extensions embraced. "
Some manufacturers such as Acer Inc and Samsung as Chromebooks.
No comments:
Post a Comment