There is a flaw in GPU units from all major manufacturers that allows hackers to read sensitive data displayed in browsers, a new research paper argues.
The vulnerability in question is called GPU.zip, and allows for cross-origin attacks. In essence, a hacker could create a malicious website that tracks how long the GPU takes to render a separate website, and use that information to reconstruct that second page, pixel by pixel. That way, the malicious website could read sensitive content such as usernames, passwords, and other sensitive data.
This is a brutal oversimplification of the findings, and those who would like to learn more about the technical aspects of the flaw should read the paper here. However, GPU vendors have downplayed the importance of the findings and argue that it’s not something that needs addressing – at least not from their end.
“Soft” reaction from the OEMs
Even the media are suggesting that abusing the vulnerability is a long shot, because plenty of conditions need to be met for the attack to be successful.
Firstly, the browser must allow cross-origin iframes to be loaded with cookies, SVG filters to be rendered on them, and delegate rendering tasks to the GPU. It’s also worth mentioning that the flaw only works on Chrome and Edge browsers; Safari and Firefox are both safe.
Google has already responded to the claims, saying that, “widely adopted headers can prevent sites from being embedded, which prevents this attack,” adding that it has no plans to make any changes.
Intel also added that the problem is not with the GPUs themselves but with third-party software, and thus would not be taking action. For Qualcomm, “the issue isn’t in our threat model” as it “can be resolved by the browser application.”
Via Ars Technica