Google Chrome OS vulnerable to attack via APIs

Experts found vulnerabilities in Scratchpad

Researchers have discovered that while Google's Chrome operating system (OS) is far more secure than Windows, it is vulnerable to web-based attacks through its core APIs.

Speaking at the Black Hat security conference in Las Vegas, web security researchers Matt Johansen and Kyle Osborn of Whitehat Security explained that the fact that Chrome is web based meant that they had to look outside the normal areas for security vulnerabilities.

"We're not looking for the 'usual suspects' like buffer overflows or vulnerabilities in [Adobe] Flash or [Microsoft] Office," the researchers stated, according to Kaspersky's Threatpost site.

Johensen and Osborn found vulnerabilities in Scratchpad, Chrome's answer to Microsoft's Notepad. This would enable one user to take another's Google account, stealing contacts and other data via a shared Scratchpad service.

However, once notified of the flaw, Google fixed it.

The researchers suggested that attacks could be made fairly simply via key Chrome APIs, some of which allow scripts to run automatically when a specific web site is accessed. They proposed that these could be used in attacks against banking or e-commerce sites.

They added that Google is considering developing application-specific APIs which would control other APIs more closely and further secure data stored on Google via the web.