Technology

58138 readers

6183 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

GPUs from all major suppliers are vulnerable to new pixel-stealing attack (arstechnica.com)

submitted 11 months ago by geosoco@kbin.social to c/technology@lemmy.world

4 comments fedilink hide all child comments

GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.

The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.

...

The security threats that can result when HTML is embedded in iframes on malicious websites have been well-known for more than a decade. Most websites restrict the cross-origin embedding of pages displaying user names, passwords, or other sensitive content through X-Frame-Options or Content-Security-Policy headers. Not all, however, do. One example is Wikipedia, which shows the usernames of people who log in to their accounts. A person who wants to remain anonymous while visiting a site they don’t trust could be outed if it contained an iframe containing a link to https://en.wikipedia.org/wiki/Main_Page.

Pixel stealing PoC for deanonymizing a user, run with other tabs open playing video. “Ground Truth” is the victim iframe (Wikipedia logged in as “Yingchenw”). “AMD” is the attack result on a Ryzen 7 4800U after 30 minutes, with 97 percent accuracy. “Intel” is the attack result for an i7-8700 after 215 minutes with 98 percent accuracy.

The researchers showed how GPU.zip allows a malicious website they created for their PoC to steal pixels one by one for a user’s Wikipedia username. The attack works on GPUs provided by Apple, Intel, AMD, Qualcomm, Arm, and Nvidia. On AMD’s Ryzen 7 4800U, GPU.zip took about 30 minutes to render the targeted pixels with 97 percent accuracy. The attack required 215 minutes to reconstruct the pixels when displayed on a system running an Intel i7-8700.

...

all 5 comments

sorted by: hot top controversial new old

[–] mojo@lemm.ee 1 points 11 months ago (1 children)

Should clarify this only affects Chromium browsers

[–] ryannathans@aussie.zone 1 points 11 months ago

Chad firefox users unaffected

[–] Gsus4@feddit.nl 0 points 11 months ago* (last edited 11 months ago) (1 children)

Alright, how much is the patch going to impact performance?

As noted earlier, GPU.zip works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:

allow cross-origin iframes to be loaded with cookies

allow rendering SVG filters on iframes and delegate rendering tasks to the GPU

~~Does Firefox do that?~~

[–] NotAPenguin@kbin.social -2 points 11 months ago

says in the article that firefox and safari aren't affected.