The latest SpookJS attack bypasses Google Chrome’s Site Isolation protection and can leak sensitive data in a Spectre-style speculative execution attack.
The attack specifically targets getting around the Google protection placed since the Spectre and Meltdown vulnerabilities came to light in January 2018. This ensured content from different domains is not shared in the same address space, resulting in stopping the leakage.
The researchers said, “An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are auto-filled. The attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension.”
This results in any data stored in the memory of a website being rendered or a Chrome extension being extracted. This includes personal information displayed on the website and auto-filled usernames, passwords, and credit card numbers.
The Spectre vulnerability has been classed as CVE-2017-5753 and CVE-2017-5715, it breaks the isolation between different applications and permits attackers to trick a program into accessing arbitrary locations associated with its memory space. It abuses it making it possible to read the content of accessed memory resulting in potentially obtaining sensitive data.
Google in a blog post said, “These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process’s address space.”
Google in July 2018, rolled out the Site Isolation software as a measure to make the attacks difficult to exploit. It also reduced the timer granularity, enabling Chrome browser versions 67 and above to load each website in its own process. As a result of this, the attacks were prevented between processes and also between sites.
Though the current findings of the researchers suggest, site isolation does not safeguard two separate websites, hence undermining the Spectre protections. This design is effectively exploited by the Spook.js to result in information leakage from Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors.
The researchers said, “Thus, Chrome will separate ‘example.com’ and ‘example.net’ due to different [top-level domains], and also ‘example.com’ and ‘attacker.com. However, ‘attacker.example.com’ and ‘corporate.example.com’ are allowed to share the same process [and] this allows pages hosted under ‘attacker.example.com’ to potentially extract information from pages under ‘corporate.example.com.'”
Further, they explained, “Spook.js shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks.” This means with other Spectre variants, exploiting Spook.js is difficult and requires substantial side-channel expertise on the part of the attacker.
Based on Chrome Security Team findings in July 2021, the extended Site isolation ensured that extensions can no longer share processes with each other. Additionally applying them to “sites where users login via third-party providers. They placed a new setting called Strict Extension Isolation enabled on Chrome versions 92 and above.
Read this PDF to know more about Spook.js