No Big Deal: Black Hat Revelation Ignored By Chrome OS Community
Chromium OS Black Hat USA 2011
Response from the Chrome OS community? A yawn.
Chrome extensions are the primary means of expanding the functionality and usefulness of a Chromebook, and are an essential part of a machine that relies on the Internet for literally all of its content and its ability to allow users to be productive. Many thousands of extensions exist in Google's extension Web site, and most are free.
All the extensions offered at the site clearly indicate how much privacy you're giving up by using them. For example, receiving a low alert would be extensions that see your installed apps, bookmarks and browsing history, a medium alert sees data you leave on Web sites and high alert means that the extension can see everything.
Perhaps that's the reason why the blogosphere and Chrome forums have been relatively quiet about the issue. Sure there were plenty of news stories covering last week's so-called discovery, but there has been virtually no reaction that we could find among developers or bloggers.
The vulnerability demonstrated by researchers Matt Johansen and Kyle Osborn of Silicon Valley-based WhiteHat Security was an example of a cross-site scripting exploit, a vulnerability that software engineer Erik Kay addressed just weeks before on the Chromium Blog.
In it, Kay describes such vulnerabilities and other known issues and points to the browser's "built-in protections to make it more difficult to introduce exploitable code." He also points to the Open Web Application Security Project's CSS prevention guidelines.
Since the revelation, which involved Google's own Scratchpad extension, the company has corrected the problem and reiterated its position that the problem lies with the way developers set permissions and in a statement reiterated the urgency of responsible, informed programming.