Spook.js attack bypasses Strict Site Isolation in Chrome to steal passwords
Security researchers from a collection of US and international universities have revealed details of Spook.js, a worrying transient execution side channel attack that can be used to bypass Chrome's Strict Site Isolation.
Rolled out by Google in response to the Spectre security flaw, Strict Site Isolation is supposed to prevent unauthorized data theft. But the researchers found that malicious JavaScript code can be used to grab data -- such as passwords -- from other tabs. The attack has been found to affect Intel processors and Apple devices with M1 chips; AMD chips are also thought to be at risk, but this is yet to be fully demonstrated.
See also:
- Microsoft opens up about Windows 11 on Apple M1 chips
- BrakTooth: security researchers reveal 16 serious Bluetooth flaws affecting billions of devices
- Microsoft releases Windows 10 KB5005101 update to fix headphone problems, monitor issues and more
The team is made up of researchers from the Georgia Institute of Technology, the University of Adelaide, the University of Michigan and Tel Aviv University. They say that "despite Google's attempts to mitigate Spectre by deploying Strict Site Isolation, information extraction via malicious JavaScript code is still possible in some cases".
The researchers go on to say:
More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension.
The security researchers have shared a couple of videos showing Spook.js in action. In the first, the attack is used to grab a password for a Tumblr blog from Chrome's built-in credential manager:
In the second, a malicious browser extension is used to steal the master password from LastPass:
A proof-of-concept is available on GitHub, and you can read through the full report here (PDF). The researchers have also set up Spookjs.com to share information about the attack.