Spook.js is a new side-channel attack on modern processors that can bypass the site isolation protection implemented in Google Chrome.
Boffins has devised a temporary side-channel attack on the latest processor, Spook.js. It can be exploited by threat actors to bypass the site isolation protection implemented in Google Chrome and Chromium browsers.
The attack was discovered by researchers at the University of Michigan, Adelaide University, Georgia Institute of Technology, and Tel Aviv University.
“Attacker-controlled web pages recognize other pages on the same website that the user is currently browsing, retrieve sensitive information from these pages, and log in credentials (such as username and password) when auto-filled. ) Can also be recovered. An attacker can retrieve the data. If the user installs a malicious extension, from a Chrome extension (such as Credential Manager). “
In January 2018, a team of experts devised two attacks, Meltdown (CVE-2017-5754) and Specter (CVE-2017-5753 and CVE-2017-5715). These attacks can be performed to break the isolation between different applications and steal sensitive data processed. Depending on the CPU.
Both attacks utilize the speculative execution techniques used by modern CPUs to optimize performance.
Google has implemented site isolation to mitigate attacks like Specter, but anyway, this feature can only try to limit information breaches by separating the content of different websites into different processes. It’s important to understand what you can do.
This feature is enabled in Chrome 67 and above, allowing each website to be loaded in its own process.
Researchers have found several cases where site separation fails to separate two websites that open the door to Specter attacks.
The Spook.js attack uses a type of confusion attack that works against Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors, allowing you to target the entire address space. increase.
“For example, Chrome separates example.com and example.net because the top-level domains .net and .com are different. Example.com and attacker.com are also the first subdomains (example). And attacker) are different, so they can be split into different processes. Finally, store.example.com and corporate.example.com share the same eTLD + 1, example.com, so they can share the same process. The separation of origins. ”Experts continue. “Please note that Chrome may have been able to choose a tighter isolation using the entire website, although 13.4% of page loads change origin via document.domain. As a result, isolation of sources can corrupt a non-negligible amount of websites. “
Experts have deployed Spook.js on the Tumblr blog, targeting the password auto-filled on the Tumblr login page by Chrome’s built-in credential manager. They have released a video PoC of an attack showing that Spook.js can render a blog with the same Chrome process as the login page that allows password recovery.
In another attack scenario, researchers packaged Spook.js as a Chrome extension, demonstrating that under certain conditions, multiple extensions can be integrated and run from the same process. The attack proposed by the researchers was able to read the memory of the LastPass Credential Manager extension and recover the master password of the target vault.
Researchers shared the findings with Google, and in July 2021 applied some changes to site isolation to prevent extensions from sharing processes with each other, allowing users to go through a third-party provider. I also applied it to the site to log in. A new site isolation feature called Strict Extension Isolation has been enabled since Chrome version 92.
“The fundamental weakness that Spook.js exploits is the difference between strict site isolation and other security models across the web ecosystem. On the other hand, strict site isolation offers two from the same eTLD + 1. Resources are always considered to be in the same security domain, while the rest of the web has a finer-grained definition of the security domain, often referred to as the same origin policy. The original policy only considers two resources to be in the same security domain if the entire domain name is the same, “the researchers conclude.
Follow us on Twitter: @securityaffairs and Facebook
(SecurityAffairs hack, Spook.Js)
The mention sources can contact us to remove/changing this article
What Are The Main Benefits Of Comparing Car Insurance Quotes Online
LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos
to request, modification Contact us at Here or [email protected]