Conversation

Notices

1. Embed this notice
   Dan Goodin (dangoodin@infosec.exchange)'s status on Wednesday, 27-Sep-2023 05:55:35 JST Dan Goodin

   GPUs from all major suppliers are vulnerable to new pixel-stealing attack

   https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Wednesday, 27-Sep-2023 05:55:34 JST Aral Balkan

     in reply to

     • Air Adam

     @dangoodin @airadam Buried lead: only affects #Chrome and Chrome-based browsers. #Firefox and #Safari not affected.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Wednesday, 27-Sep-2023 15:56:41 JST Aral Balkan

     in reply to

     • James Bartlett :terminal:

     @JamesDBartlett3 Merci; fixed :)

   • Embed this notice
     James Bartlett :terminal: (jamesdbartlett3@techhub.social)'s status on Wednesday, 27-Sep-2023 15:56:42 JST James Bartlett :terminal:

     in reply to

     • Aral Balkan

     @aral
     Minor nitpick: It's actually the #lede that was buried, not the #lead. A very common misconception, but still worth knowing the difference.
     https://www.merriam-webster.com/wordplay/bury-the-lede-versus-lead

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 23-Oct-2023 05:43:46 JST Rich Felker

     in reply to

     • Adam :lsio:

     @spad @dangoodin Giving the website any access at all to a historically-vulnerable-garbage hardware device (the GPU) falls under "browser doing something wrong" in my book.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Dan Goodin (dangoodin@infosec.exchange)'s status on Monday, 23-Oct-2023 05:43:53 JST Dan Goodin

     in reply to

     I'm not sure how to think of this new GPU.zip attack. The side channel exists in the GPUs themselves, so it seems fair to think they are vulnerable.

     On the other hand, the only (known) way to exploit this side channel is loading iframes into Chrome or Edge, so it also seems reasonable to say these browsers are the things that are vulnerable.

     I'm curious to know what you think.

     https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

   • Embed this notice
     Adam :lsio: (spad@mastodon.linuxserver.io)'s status on Monday, 23-Oct-2023 05:43:53 JST Adam :lsio:

     in reply to

     @dangoodin the vulnerability is still with the GPUs even if it requires very specific circumstances to exploit. AFAICT it's not that the browsers are doing anything *wrong* per se, it's just that the way Chrome handles things happens to allow this exploit to work.

   • Embed this notice
     Dan Goodin (dangoodin@infosec.exchange)'s status on Monday, 23-Oct-2023 05:43:54 JST Dan Goodin

     in reply to

     GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.

     The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.

     GPU.zip, as the proof-of-concept attack has been named, starts with a malicious website that places a link to the webpage it wants to read inside of an iframe, a common HTML element that allows sites to embed ads, images, or other content hosted on other websites. Normally, the same origin policy prevents either site from inspecting the source code, content, or final visual product of the other. The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.
     Advertisement

     “We found that modern GPUs automatically try to compress this visual data, without any application involvement,” Yingchen Wang, the lead author and a researcher at the University of Texas at Austin, wrote in an email. “This is done to save memory bandwidth and improve performance. Since compressibility is data dependent, this optimization creates a side channel which can be exploited by an attacker to reveal information about the visual data.”

     https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/