A new type of side-channel attack has been shown to be effective against contemporary CPUs and attack Chrome and Chromium’s Site Isolation security, resulting in leakage of sensitive data.
Described as “Spook.js“, this technique of attack is based on Java script and specifically targets the security measures that Google has implemented in their Chromium browsers, to limit data sharing across different domains by preventing content from one domain being shared in the same memory address space.
Researchers say that the attacker-controlled webpage may provide malicious actors with information about the other pages of the same website the user is visiting, steal sensitive information from the visited pages, if such info is shared there, and even retrieve credentials (e.g., usernames and passwords) when they’re autofilled. In addition to that, by using the “Spook.js”, an attacker can extract data from Chrome extensions in case the user installs a malicious extension.
As a result, any information in the memory of a website or a Chrome extension, including personally identifiable information on the site, such as auto-filled usernames, passwords and credit card numbers, may be retrieved.
Google said that the attack makes advantage of speculative execution characteristics common to many CPUs, to access memory parts that should be inaccessible to a piece of code, and then uses timing attacks to identify the values that are stored in that memory. If untrustworthy code is run, then this may allow it to access and ready any memory in the address space of the process.
Site Isolation, a software countermeasure released by Google in July 2018, is meant to limit the possibility of such attacks and to protect sites against cross-process exploit attempts. When enabled, this feature allows Chrome browser versions 67 and newer to load each site in a separate process, in this way limiting the possibility of attacks between processes and sites.
However, the recent study shows that while the Site Isolation measures are successful in separating two websites, they do not work in every situation. Spook.js leverages this loophole in Chrome and Chromium-based browsers operating on Intel, AMD, and Apple M1 CPUs to open room for information leakage.
As far as browser-based speculative execution threats are concerned, the researchers claim that Spook.js demonstrates that current defenses are inadequate to protect users. However, Spook.js is very difficult to exploit, and doing so requires a significant amount of side-channel knowledge from the attacker’s side.
In response to the study’s results, in July this year, the Chrome Security Team added a new setting to Site Isolation that blocks extensions from sharing processes with each other and applying them to websites where users check in through third-party providers. Chrome versions 92 and above include this new option which is called Strict Extension Isolation.