Site Isolation Protection evaded by a newly discovered attack
Spook.js is a newly discovered attack that is established on modern processors to bypass Site Isolation Protection merged in Google Chrome and Chromium browsers, and leak sensitive data.
The technique is dubbed as Spook.js by researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University. Its aim is to overcome barriers put forth by Google after the discovery of Spectre and Meltdown vulnerabilities.
Also Read: Google Ads directing to Fake Brave Browser
Researchers highlighted that the webpage controlled by the attacker would know which pages of the same website the user is browsing. This helps them get access to sensitive information from these pages and even get hold of login information, including the username and password, when autofilled. The researchers further added if the user installs an infected extension, then this will allow the attacker to retrieve information from Chrome extensions.
The result of this could lead to the extraction of any data stored in the memory of a website, or a Chrome extension. This includes personally identifiable information on the website along with autofilled user ids, passwords, and credit card numbers.
Spectre tracked as CVE-2017-5753 and CVE-2017-5715 concerns the class of hardware flaws that break the isolation among applications and allows threat actors to deceive a program, leading to access arbitrary locations linked to its memory space. This abuses it to read accessed memory contents to obtain sensitive data.
Google pointed out that the attacks use the execution features of CPUs to access memory parts that should be prohibited. They then use timing attacks to find out the values in that memory.
In July 2018, the Site Isolation was rolled out as Google’s software countermeasure to make the attacks difficult to exploit. Once enabled, this feature allows Chrome browser versions 67 and above to load each website in its own process. This results in preventing attacks between processes and sites.
However, latest study by researchers points out to the fact that there were cases where the site Isolation Protection did not disconnect two websites, thus undermining Spectre protections. Spook.js feats this chance to lead to information leakage from browsers running on Intel, AMD, and Apple M1 processors.
Researchers further added that Spook.js is a clear indication that the measure devised to combat attacks are insufficient to safeguard users from browser-based execution attacks.
After identification, the Chrome Security Team expanded Site Isolation in July this year. This was done to make sure that extensions do not share processes with each other. This was also applied to sites where third-party providers are used for logging in. This Strict Extension Isolation is enabled in version 92 and up of chrome.
The researchers said that developers could separate unidentified JavaScript code from other content of their website, holding all user-provided JavaScript code with a different eTLD+1 domain. In this way, Strict Site Isolation will not combine attacker-supplied code with sensitive data, making it out of reach of the attackers.
