Graphics processing units (GPUs) from Apple, AMD, Intel, Qualcomm, Arm, and Nvidia are vulnerable to a new attack that lets malicious websites read usernames, passwords, and other sensitive data displayed by other websites.
According to a research paper published on Tuesday, 26 September 2023, the cross-origin attack lets a malicious website from one domain read pixels displayed by other domains.
Malicious actors can then reconstruct the pixels to view words or images displayed by the target domain.
This directly violates the same origin policy — a critical security principle that mandates that content hosted on one domain must be isolated from all other domains.
The research team found that data compression by internal and discrete GPUs can act as a side channel that malicious actors can use to bypass the same origin policy’s restrictions and steal pixels one by one.
“We found that modern GPUs automatically try to compress this visual data, without any application involvement,” Ars Technica quoted lead author Yingchen Wang as saying.
“This is done to save memory bandwidth and improve performance. Since compressibility is data dependent, this optimization creates a side channel which can be exploited by an attacker to reveal information about the visual data.”
However, for the attack to work, a malicious page must be loaded into Chrome or Edge. Internal differences in the way Firefox and Safari work block the attack from stealing pixels.
The team’s research paper will be presented at the 45th IEEE Symposium on Security and Privacy in San Francisco in May 2024.