A newly discovered side-channel attack targeting Google Chrome can allow an attacker to overcome the web browser’s security defenses to retrieve sensitive information using a Spectre-style attack.
Dubbed Spook.js, the ‘transient execution side-channel attack’ can bypass Chrome’s protections against speculative execution (Spectre) exploits to steal credentials, personal data, and more.
This allowed a wide range of attacks against different types of applications, including web apps, enabling attackers to steal sensitive information across different websites by exploiting how different applications and processes interact with processors and on-chip memory.
Browser vendors have since deployed various countermeasures in order to make Spectre-style attacks harder to exploit.
Google Chrome introduced Strict Site Isolation, which prevents different webpages from sharing the same process. It also partitioned the address space of each process into different 32-bit sandboxes (despite being a 64-bit application).
By limiting all values to be 32-bit, this aims to prevent a Spectre attacker from being able to cross partition boundaries, further limiting information exposure the researchers explained.
No longer in isolation
Despite these protections being in place, researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, said that Spook.js “shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks”.
They wrote: “More specifically, we show that Chrome’s Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains.
“Next, we also show how to bypass Chrome’s 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome’s JavaScript engine to operate on an object of the wrong type.
“Using this method we can combine multiple 32-bit values into a single 64-bit pointer, which allows us to read the process’s entire address space.
“Finally, going beyond initial proof-of-concepts, we demonstrate end-to-end attacks extracting sensitive information such as the list of open pages, their contents, and even login credentials.”
Proof-of-concept
The team of researchers demonstrated how the attack can be used to takeover a Tumblr account by attacking Chrome’s built-in credential manager and stealing the user credentials.
They also showed how Spook.js can recover the master password in the LastPass Chrome extension – allowing them access to all of the stored credentials in a user’s password vault:
In addition to usernames and passwords, the researchers were able to gain access to a number of sensitive datasets that are stored in the memory of a website being rendered in Chrome browser or a Chrome extension.
The researchers said they could access the list of same-site tabs which a user currently has open, phone numbers, addresses, and bank account information displayed on a website, usernames, passwords, and credit card numbers auto-filled by credential managers, and under certain circumstances, images in Google Photos which a user is currently viewing.
The attack is not just limited to Google Chrome. It is also successful on other Chromium-based browsers such as Microsoft Edge and Brave.
In response, Google has introduced Strict Extension Isolation, a feature which prevents multiple extensions from being consolidated into the same process under memory pressure, stopping Spook.js from being able to read the memory of other extensions.
Strict Extension Isolation is enabled as of Chrome versions 92 and up.
The researchers also advised: “Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1.
“This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries.
“In addition, sites can register their domain name to the Public Suffix List (PSL). The PSL is maintained by Mozilla, and is a list of domains under which users can register names directly (even if the domains are not true top-level domains).
“Chrome will not consolidate pages if their eTLD+1 domain is present in the PSL. That is, x.publicsuffix.com and y.publicsuffix.com will always be separated.”
Spook.js mitigation advice
When asked how users can protect against Spook.js, Jason Kim of the Georgia Institute of Technology, told The Daily Swig: “In response to our attack, Google has deployed Strict Extension Isolation, which ensures that multiple extensions do not get consolidated into one Chrome process.
“Thus, by upgrading to Chrome 92 uses can protect themselves against one version of our attack. However, due to the logic that Strict Site Isolation uses to determine if sites should be separated or not, some variants of Spook.js might still be possible.”
Kim added: “For these cases, the deployment of countermeasures must be done by website administrators and web developers, and not by individual users. Luckily, Spook.js requires substantial side-channel expertise in order to use effectively, thus raising the bar for would-be attackers.”