Can a Chromebook be infected by a computer virus through a malicious website?

I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?

Solution 1:

Tl;dr - yes (but unlikely).

From https://en.wikipedia.org/wiki/Chrome_OS:

Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.

Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.

For instance, Does Linux need antivirus? says

There is much debate as to whether Linux needs antivirus. Proponents of Linux state that its heritage as a multi-user, networked operating systems means that it was built from the ground up with superior malware defense. Others take the stance that while some operating systems can be more resistant to malware, there’s simply no such thing as a virus-resistant operating system. The second group is correct – Linux is not impervious to viruses

and Can my UNIX or Linux computer become infected with a virus? says

Few viruses are currently known for UNIX or Linux. However, virus checking is necessary for these reasons:

• UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
• UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
• If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.

So, you are at little risk, but not no risk

Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security

Solution 2:

tl;dr

Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.

_{^{Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.}}

Totally agree with the other answer and will start from the same place, but expand on it a bit:

Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.

Source: Wikipedia

Chrome: Passive attacks

Description of attack:

1. You open a website
2. Suddenly you have a virus

Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.

Chrome: Stupid user attacks (malware + malicious site)

Description of attack:

1. You open a website
2. Website convinces the user to do something stupid
   • Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.

Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.

BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to

• Read and change your data on all sites

Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).

Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.

Android: Passive attacks

Description of attack:

1. You install and open a malicious android app
2. Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)

Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.

Linux attack surface

Description of attack:

1. (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
2. You open some innocent looking file
   • Example: Some libreoffice document
3. Suddenly you have a virus

Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.