This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
A newly found side-channel attack targeting Google Chrome might allow an attacker to use a Spectre-style attack to bypass the web browser’s security protections and extract sensitive information. Spook.js is a novel transient execution side-channel attack that specifically targets Chrome. Despite Google’s efforts to minimize Spectre by installing Strict Site Isolation, malicious JavaScript code can still extract information in some instances.
An attacker-controlled webpage can learn which other pages from the same website a user is presently viewing, collect sensitive information from these pages, and even recover auto-filled login credentials (e.g., username and password). If a user downloads a malicious extension, the attacker may obtain data from Chrome extensions (such as credential managers).
Spectre, which made news across the world in 2018, makes use of vulnerabilities in contemporary CPU optimization features to get around security measures that prohibit separate programmes from accessing one other’s memory space. This enabled attackers to steal sensitive information across several websites by attacking how different applications and processes interact with processors and on-chip memory, allowing a wide range of attacks against different types of applications, including web apps.
Strict Site Isolation was implemented by Google Chrome, which prohibits several web pages from sharing the same process. It also divided each process’s address space into separate 32-bit sandboxes (despite being a 64-bit application).
Site Isolation is a Chrome secu
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Spook.js: Chrome is Threatened by a New Spectre Like Attack