Hacking Google Chrome OS

Google + the cloud + web applications is a recipe for a fun security cocktail.

In the last few months, two members of the WhiteHat Security’s Threat Research Center — Matt Johansen and Kyle Osborn — hacked away at Google’s Cr-48 prototype laptops and discovered a slew of serious and fundamental security design flaws.

Now, they are sharing their findings with the Black Hat audience, promising to discuss security holes that could expose users to the following types of attacks:

• Exposing of all user email, contacts, and saved documents.
• Conduct high speed scans their intranet work and revealing active host IP addresses.
• Spoofing messaging in their Google Voice account.
• Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

Johansen and Osborn said Google was informed of the findings and has already fixed some vulnerabilities they plan to discuss many of the underlying Google Chrome OS weaknesses that remain — including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot.