A team of scholars from universities in Australia, Israel, and the United States has created a new side-channel attack that targets Google Chrome’s Site Isolation feature. The attack, called Spook.js, is a new transient execution side channel exploit targeting Chrome and Chromium-based browsers, showing that Google’s attempts to mitigate Spectre have not been entirely successful.
The Spook.js Attack Explained
“More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicous extension,” the team said in their report.
The discovery is related to the Meltdown and Spectre exploits, the CPU design flaws that enabled malicious code running on a processor to recover data from other apps or even from secure CPU areas. The security vulnerabilities affect whole generations of computers and devices of all types that use specific chips (an Intel processor or an Apple device with the M1 chip). The flaws could allow attackers to break down the fundamental isolation between user applications and the operating system. The information being processed by the computers could then be leaked to attackers.
Site Isolation: Not Enough
To mitigate the flaws, Google added the so-called Site Isolation, enabled in all versions since Chrome 67. Prior to those events, the feature was available as an optional function that users needed to enable manually.
The addition of this mechanism changed Google Chrome’s underlying architecture into limiting the way different sites are processed. By design, the browser featured a multi-process operation which defined each tab to a separate rendered process. The different tabs could even switch processes when navigating to a new site in certain situations. However, the Spectre vulnerability proof-of-concept attacks revealed a hypothetical attack model. It allowed potential threat actors to construct malicious pages revealing sensitive data.
In other words, despite the attacks were demonstrated only theoretically, they showcased the design weakness of modern CPUs in terms of security.
How Does Spook.js Work?
Shortly said, the team of academics that came up with the Spook.js attack concept noticed that the current Site Isolation mechanism doesn’t separate subdomain, which is another design flaw.
There’s also the possibility for sites to be hacked, but the research team didn’t go that far for ethical research norms. Nonetheless, this scenario should also be taken into consideration, they said.
If you are interested, you can also have a look at the proof-of-concept available on GitHub.