Skip to main content

Google Chrome hacked - but not by who you'd expect

Spectre and meldown
(Image credit: Graz University of Technology)

Google has put up a proof-of-concept (PoC) code that exploits the Spectre vulnerability in Chrome as part of its bid to help web developers mitigate browser-based side-channel attacks.

This follows last month’s development when Google’s security engineer Mike West wrote a note to the W3C's Web Application Security Working Group, suggesting recommendations for web developers to write Spectre-resistant code. Reportedly the group is considering officially endorsing West’s recommendation.

“While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker's process,” Google security engineers Stephen Röttger and Artur Janc wrote.

Spectre-proof websites

While the duo has used Google Chrome they note that the vulnerabilities are prevalent on all modern web browsers. They explain that the PoC helps demonstrate the practicality of side-channel exploits against JavaScript engines. 

They’ve also put up a website to interactively depict how the side-channel attacks leaks data. The Google engineers note that while the demo website leaks data at a speed of 1kB/s on Chrome 88 on an Intel Skylake CPU, they tried it on several other processors including the Apple M1 as well.

The PoC is just one of the several that Röttger and Janc have created, one leaked data at 8kB/s and another at 60kB/s. The released PoC was chosen because of its “negligible setup time.”

“While we don't believe this particular PoC can be re-used for nefarious purposes without significant modifications, it serves as a compelling demonstration of the risks of Spectre. In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites,” the developers conclude.

Via: The Register