Spook.js attack bypasses Strict Site Isolation in Chrome to steal passwords

Spook.js

Security researchers from a collection of US and international universities have revealed details of Spook.js, a worrying transient execution side channel attack that can be used to bypass Chrome's Strict Site Isolation.

Rolled out by Google in response to the Spectre security flaw, Strict Site Isolation is supposed to prevent unauthorized data theft. But the researchers found that malicious JavaScript code can be used to grab data -- such as passwords -- from other tabs. The attack has been found to affect Intel processors and Apple devices with M1 chips; AMD chips are also thought to be at risk, but this is yet to be fully demonstrated.

See also:

Advertisement

The team is made up of researchers from the Georgia Institute of Technology, the University of Adelaide, the University of Michigan and Tel Aviv University. They say that "despite Google's attempts to mitigate Spectre by deploying Strict Site Isolation, information extraction via malicious JavaScript code is still possible in some cases".

The researchers go on to say:

More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension.

The security researchers have shared a couple of videos showing Spook.js in action. In the first, the attack is used to grab a password for a Tumblr blog from Chrome's built-in credential manager:

In the second, a malicious browser extension is used to steal the master password from LastPass:

 A proof-of-concept is available on GitHub, and you can read through the full report here (PDF). The researchers have also set up Spookjs.com to share information about the attack.

© 1998-2021 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.