Conversation

Notices

Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Wednesday, 27-Sep-2023 05:55:35 JST Dan Goodin

GPUs from all major suppliers are vulnerable to new pixel-stealing attack
https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

In conversation Wednesday, 27-Sep-2023 05:55:35 JST from infosec.exchange permalink
- Embed this notice
  Aral Balkan (aral@mastodon.ar.al)'s status on Wednesday, 27-Sep-2023 05:55:34 JST Aral Balkan
  in reply to
  - Air Adam
  @dangoodin @airadam Buried lead: only affects #Chrome and Chrome-based browsers. #Firefox and #Safari not affected.
  
  In conversation Wednesday, 27-Sep-2023 05:55:34 JST permalink
- Embed this notice
  Aral Balkan (aral@mastodon.ar.al)'s status on Wednesday, 27-Sep-2023 15:56:41 JST Aral Balkan
  in reply to
  - James Bartlett :terminal:
  @JamesDBartlett3 Merci; fixed :)
  
  In conversation Wednesday, 27-Sep-2023 15:56:41 JST permalink
- Embed this notice
  James Bartlett :terminal: (jamesdbartlett3@techhub.social)'s status on Wednesday, 27-Sep-2023 15:56:42 JST James Bartlett :terminal:
  in reply to
  - Aral Balkan
  @aral
  Minor nitpick: It's actually the #lede that was buried, not the #lead. A very common misconception, but still worth knowing the difference.
  https://www.merriam-webster.com/wordplay/bury-the-lede-versus-lead
  In conversation Wednesday, 27-Sep-2023 15:56:42 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: merriam-webster.com
    
    Why Do We 'Bury the Lede?'
    
    We buried 'lead' so far down that we forgot how to spell it
- Embed this notice
  Rich Felker (dalias@hachyderm.io)'s status on Monday, 23-Oct-2023 05:43:46 JST Rich Felker
  in reply to
  - Adam :lsio:
  @spad @dangoodin Giving the website any access at all to a historically-vulnerable-garbage hardware device (the GPU) falls under "browser doing something wrong" in my book.
  
  In conversation Monday, 23-Oct-2023 05:43:46 JST permalink
  
  Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Dan Goodin (dangoodin@infosec.exchange)'s status on Monday, 23-Oct-2023 05:43:53 JST Dan Goodin
  in reply to
  
  I'm not sure how to think of this new GPU.zip attack. The side channel exists in the GPUs themselves, so it seems fair to think they are vulnerable.
  On the other hand, the only (known) way to exploit this side channel is loading iframes into Chrome or Edge, so it also seems reasonable to say these browsers are the things that are vulnerable.
  I'm curious to know what you think.
  https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/
  
  In conversation Monday, 23-Oct-2023 05:43:53 JST permalink
- Embed this notice
  Adam :lsio: (spad@mastodon.linuxserver.io)'s status on Monday, 23-Oct-2023 05:43:53 JST Adam :lsio:
  in reply to
  
  @dangoodin the vulnerability is still with the GPUs even if it requires very specific circumstances to exploit. AFAICT it's not that the browsers are doing anything *wrong* per se, it's just that the way Chrome handles things happens to allow this exploit to work.
  
  In conversation Monday, 23-Oct-2023 05:43:53 JST permalink
- Embed this notice
  Dan Goodin (dangoodin@infosec.exchange)'s status on Monday, 23-Oct-2023 05:43:54 JST Dan Goodin
  in reply to
  
  GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.
  The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.
  GPU.zip, as the proof-of-concept attack has been named, starts with a malicious website that places a link to the webpage it wants to read inside of an iframe, a common HTML element that allows sites to embed ads, images, or other content hosted on other websites. Normally, the same origin policy prevents either site from inspecting the source code, content, or final visual product of the other. The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.
  Advertisement
  “We found that modern GPUs automatically try to compress this visual data, without any application involvement,” Yingchen Wang, the lead author and a researcher at the University of Texas at Austin, wrote in an email. “This is done to save memory bandwidth and improve performance. Since compressibility is data dependent, this optimization creates a side channel which can be exploited by an attacker to reveal information about the visual data.”
  https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/
  In conversation Monday, 23-Oct-2023 05:43:54 JST permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    Example Domain
  2. No result found on File_thumbnail lookup.
    
    Example Domain

Public

Notices

Feeds