Johansen declined to identify the applications with the security bugs. He and colleague Kyle Osborn are holding back that information for a presentation at Black Hat, a prestigious hacking conference to be held this August in Las Vegas.

Those applications belong to a class of software programs known as "extensions," which users download from the Google Chrome Web Store. Extensions are essentially applications that run inside browsers

The bulk of Chrome OS extensions are written by independent software developers, not by Google.

Johansen said the problem with the extensions is related to a design flaw in Google Chrome OS: the operating system gives extensions sweeping rights to access data stored on the cloud.

"Chrome is trusting these extensions more than it would be trusting just another website," he said.

Executives at Google said they are looking to improve procedures that screen extensions for vulnerabilities before clearing them for the Chrome Web Store.

Caesar Sengupta, director of Chrome OS, said the company was exploring "various ways" of trying to automatically tag questionable extensions. Yet he said that Google did not want to make it onerous for developers to get their extensions distributed through the marketplace.

"We are trying to create a system that -- like the Web -- is open," he said.

Alex Stamos, a security expert with iSec Partners who helped develop the security system for Chrome OS, said that it would be unfair to condemn the overall security of the new operating system just because of the issues cited by the WhiteHat researchers.

"While things might not be perfect, we are talking about a much more controlled and secure environment than you have on Windows and Mac PCs," he said.

For information on the Black Hat conference, see www.blackhat.com.