Well, somebody’s finally done it. Google’s been selling us for quite a while on just how secure Chrome is, and they haven’t really lied to us. Getting into the OS or the browser for that matter has proved pretty darn difficult. But at the Black Hat security conference two researchers with White Hat Security have gotten into Chrome OS.

The flaw is in ScratchPad, a Chrome app that allows users to compose text files and then save them to Google Docs. Through it, the attacker can gain access to a person’s e-mail, contacts, and Google Docs and Voice accounts. Give Google some credit here though, the two redarchers working on this — Matt Johanson and Kyle Osborn — said they spent months looking for a hole, and must have only found one now.

To their credit, Johanson and Osborn have informed Google of the flaw and said that it and some other flaws had been addressed, but that some issues do remain. Chrome OS does remain one of the most secure platforms, thanks to Google’s work in ensuring holes are closed.

White Hat’s work came actually as a result of a Google query to the firm on finding security flaws within Chrome OS. The ScratchPad bug was one of those found as a result. The two researchers also said they continue to look for issues, but are treating it more like they would a mobile phone.

That’s because of the way the operating system is built. Since most apps are web-based, functionality is gained through the addition of extensions, much like a browser or mobile phone. Chrome OS is only as powerful as you’ll make it — so the entry point for an attacker is likely to be through an extension rather than the OS itself.

What’s that mean? Google’s going to need to be very careful about Chrome OS extensions.

Read more: