Matt Johansen and Kyle Osborn presented their paper at Black Hat this morning titled "Hacking Google ChromeOS".
Google's netbook operating system has been touted as the first platform that has been designed to be malware free from the start. Users are not able to download/install/execute code on a ChromeBook, they are only allowed to download Chrome extensions.
Johansen and Osborn didn't bother to try and prove Google wrong, they simply looked into the implications of having everything "running" as an extension in the browser.
Their research impacts all users of Google Chrome, whether they happen to be using it as an OS or simply as their browser of choice.
They discovered two things... One is that if you are running JavaScript code on the device, your code could be vulnerable to a XSS (cross site scripting) attack.
When a website has a XSS vulnerability, it allows people to attack that specific site, but it does not effect others. What happens when you have a XSS vulnerability in an application in your browser?
Well, considering the API that Chrome provides for extension development, it allows an attacker to exploit any web site operating within that browser (including all other tabs).
Read more