Spook.js: Chrome is Threatened by a New Spectre Like Attack

 

A newly found side-channel attack targeting Google Chrome might allow an attacker to use a Spectre-style attack to bypass the web browser's security protections and extract sensitive information. Spook.js is a novel transient execution side-channel attack that specifically targets Chrome. Despite Google's efforts to minimize Spectre by installing Strict Site Isolation, malicious JavaScript code can still extract information in some instances. 

An attacker-controlled webpage can learn which other pages from the same website a user is presently viewing, collect sensitive information from these pages, and even recover auto-filled login credentials (e.g., username and password). If a user downloads a malicious extension, the attacker may obtain data from Chrome extensions (such as credential managers). 

Spectre, which made news across the world in 2018, makes use of vulnerabilities in contemporary CPU optimization features to get around security measures that prohibit separate programmes from accessing one other's memory space. This enabled attackers to steal sensitive information across several websites by attacking how different applications and processes interact with processors and on-chip memory, allowing a wide range of attacks against different types of applications, including web apps. 

Strict Site Isolation was implemented by Google Chrome, which prohibits several web pages from sharing the same process. It also divided each process's address space into separate 32-bit sandboxes (despite being a 64-bit application). 

Site Isolation is a Chrome security feature that provides extra protection against some sorts of security vulnerabilities. It makes it more difficult for websites that aren't trustworthy to get access to or steal information from your accounts on other websites.

Despite these safeguards, Spook.js, according to researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, "shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks." 

“More specifically, we show that Chrome’s Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains,” they said. "Next, we also show how to bypass Chrome’s 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome’s JavaScript engine to operate on an object of the wrong type."

“Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the study recommended. “This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."