Chrome OS' Reported Security Problems Are In Fact Web Problems

by Ostatic Staff - Aug. 04, 2011

One of the most ballyhooed aspects of Google's Chrome OS is its security model, which Google officials have touted as airtight ever since the operating system was announced. Chrome OS works with data and applications in the cloud, and is indeed free of many of the susceptibilities to malware that come with local data and application usage. However, security researchers have been claiming to have found holes in Chrome OS' security model. A close look at these claims, though, shows that the problems cited are simply standard problems that anyone using the web or common messaging systems is vulnerable to.

At the end of June, Reuters ran a new story on claims from a researcher at WhiteHat Security, Matt Johansen, that he had found holes in Chrome's security model. Specifically, Johansen found a way, using the Scratchpad note-taking extension for Chrome, to hack into Gmail accounts. Google has paid Johansen a $1,000 bug bounty, according to Reuters, which also reported this:

"One key to hacking Chrome OS is to capture data as it travels between the Chrome browser and the cloud, Johansen said. Hackers have until now mostly targeted data that sits on a machine's hard drive."

This is where it becomes clear that current reports on Chrome OS' security failures are in fact reports on vulnerabilities that everyone using the web is susceptible to. The Register gets it right in its analysis:

"According to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google."

The Register also notes that many of the security problems being reported arise from use of Chrome OS extensions, which not all users deploy. At heart, Chrome OS is a Linux operating system. In fact, Canonical helped Google develop it.

Without a doubt, most users of the OS are far safer with it than Windows users are, but anyone who uses the web or email systems confronts at least some vulnerabilities to malware and script kiddies. In relative terms, Chrome OS remains a very secure operating system.