Spook.js attack bypasses Strict Site Isolation in Chrome to steal passwords
Security researchers from a collection of US and international universities have revealed details of Spook.js, a worrying transient execution side channel attack that can be used to bypass Chrome's Strict Site Isolation.
- Microsoft opens up about Windows 11 on Apple M1 chips
- BrakTooth: security researchers reveal 16 serious Bluetooth flaws affecting billions of devices
- Microsoft releases Windows 10 KB5005101 update to fix headphone problems, monitor issues and more
The researchers go on to say:
More specifically, we show that an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled. We further demonstrate that the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension.
The security researchers have shared a couple of videos showing Spook.js in action. In the first, the attack is used to grab a password for a Tumblr blog from Chrome's built-in credential manager:
In the second, a malicious browser extension is used to steal the master password from LastPass: