Flaws in Google Chrome extensions could enable attackers to steal account credentials, hijack browser sessions and virtually take over a victim’s computer without their knowledge, according to two researchers at WhiteHat Security Inc. They say the flaws jeopardize Chromebook security. Chromebook, the new Web-based laptop/netbook platform based on the Google Chrome OS, relies on extensions for its functionality.
Google patched 30 vulnerabilities in Chrome today, paying out the third-highest bounty total ever for the bugs that outsiders filed with its security team.
The company packaged the patches with an update to Chrome 13, adding Instant Pages to the "stable" channel of the browser. The feature, which Google earlier tucked into Chrome 13 previews, proactively pre-loads some search results to speed up browsing.
A penetration tester has exploted a hole in Google Chrome that granted unauthorised access to gmail accounts.
WhiteHat Security researcher Matt Johansen identified the vulnerability in a Chrome OS note-taking application. He disclosed the hole to Google which patched it and gave him US$1000 as part of its Chromium security initiative.
Johansen told Reuters he intercepted data travelling between a Chrome browser extension and the Google cloud.
Google has released a list of security features being built into the upcoming Chrome 13 and includes Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) implementations, certificate pinning and self-XSS filter.
