@spad@dangoodin Giving the website any access at all to a historically-vulnerable-garbage hardware device (the GPU) falls under "browser doing something wrong" in my book.
I'm not sure how to think of this new GPU.zip attack. The side channel exists in the GPUs themselves, so it seems fair to think they are vulnerable.
On the other hand, the only (known) way to exploit this side channel is loading iframes into Chrome or Edge, so it also seems reasonable to say these browsers are the things that are vulnerable.
@dangoodin the vulnerability is still with the GPUs even if it requires very specific circumstances to exploit. AFAICT it's not that the browsers are doing anything *wrong* per se, it's just that the way Chrome handles things happens to allow this exploit to work.
GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.
The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.
GPU.zip, as the proof-of-concept attack has been named, starts with a malicious website that places a link to the webpage it wants to read inside of an iframe, a common HTML element that allows sites to embed ads, images, or other content hosted on other websites. Normally, the same origin policy prevents either site from inspecting the source code, content, or final visual product of the other. The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one. Advertisement
“We found that modern GPUs automatically try to compress this visual data, without any application involvement,” Yingchen Wang, the lead author and a researcher at the University of Texas at Austin, wrote in an email. “This is done to save memory bandwidth and improve performance. Since compressibility is data dependent, this optimization creates a side channel which can be exploited by an attacker to reveal information about the visual data.”