Can a Chromebook be infected by a computer virus through a malicious website?

Tl;dr - yes (but unlikely).


From https://en.wikipedia.org/wiki/Chrome_OS:

Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.

Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.

For instance, Does Linux need antivirus? says

There is much debate as to whether Linux needs antivirus. Proponents of Linux state that its heritage as a multi-user, networked operating systems means that it was built from the ground up with superior malware defense. Others take the stance that while some operating systems can be more resistant to malware, there’s simply no such thing as a virus-resistant operating system. The second group is correct – Linux is not impervious to viruses

and Can my UNIX or Linux computer become infected with a virus? says

Few viruses are currently known for UNIX or Linux. However, virus checking is necessary for these reasons:

  • UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
  • UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
  • If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.

So, you are at little risk, but not no risk

Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security


tl;dr

Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.


Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.


Totally agree with the other answer and will start from the same place, but expand on it a bit:

Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.

Source: Wikipedia

Chrome: Passive attacks

Description of attack:

  1. You open a website
  2. Suddenly you have a virus

Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.

Chrome: Stupid user attacks (malware + malicious site)

Description of attack:

  1. You open a website
  2. Website convinces the user to do something stupid
    • Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.

Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.

BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to

  • Read and change your data on all sites

Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).


Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.

Android: Passive attacks

Description of attack:

  1. You install and open a malicious android app
  2. Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)

Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.

Linux attack surface

Description of attack:

  1. (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
  2. You open some innocent looking file
    • Example: Some libreoffice document
  3. Suddenly you have a virus

Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.


Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).

  • The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.

  • Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.

  • Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.

So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:

  • an exploit to run native code (the virus)
  • a sandbox escape, to access the filesystem
  • a root exploit, in order to modify OS files
  • a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
  • some way to spread to other Chromebooks (if we are talking about a traditional virus)

Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.