A penetration tester has exploted a hole in Google Chrome that granted unauthorised access to gmail accounts.
WhiteHat Security researcher Matt Johansen identified the vulnerability in a Chrome OS note-taking application.
He disclosed the hole to Google which patched it and gave him US$1000 as part of its Chromium security initiative.
Johansen told Reuters he intercepted data travelling between a Chrome browser extension and the Google cloud.
"I can get at your online banking or your Facebook profile or your email as it is being loaded in the browser," he said.
Google has not yet revealed details of the security hole which Johansen plans to release at the Black Hat conference in Las Vegas this year.
Google extensions, written by third party software developers, were a ripe target for attack because they were granted more privileged access rights to Google cloud data than what the browser offered to web sites.
WhiteHat security detailed in a 2007 research paper (pdf) a series of web application security vulnerabilities that could also be used to attack web browser extensions in Chrome and Mozilla FireFox.
The attack on Google extensions was different to typical exploits that target data residing on hard drives.
"If I can exploit some kind of web application to access that data, then I couldn't care less what is on the hard drive," he said.
But Johansen had since discovered other applications with the same security flaw.
"This is just the tip of the iceberg ... We can see this becoming a whole new field" for malware attacks, he said.
Chrome OS director Caesar Sengupta said there are "significant benefits to security" by storing apps within the browser.
"Unlike traditional operating systems, Chrome OS doesn't trust the applications you run. Each app is contained within a security sandbox making it harder for malware and viruses to infect your computer."
"Furthermore, Chrome OS barely trusts itself. Every time you restart your computer the operating system verifies the integrity of its code. If your system has been compromised, it is designed to fix itself with a reboot.
"While no computer can be made completely secure, we're going to make life much harder and less profitable for the bad guys."
Copyright © SC Magazine, Australia
Issue: 345 | December 2015