AL2021_26 New SpookJS Bypasses Google Chrome’s Site Location Protection (13th September 2021)

A recently found side-channel attack illustrated that modern processors can be weaponized to successfully overcome “site isolation protections” intertwined into Google and Chromium browsers and expose sensitive data in a “spectre-style speculative execution attack.

Summary

It is classified as “Spook.js by the University of Michigan, Georgia Institute of Technology, and Tel Aviv University. The method used is known as a “JavaScript- based line of attack” that explicitly aims to get around barriers Google has put in place after the Spectre and Meltdown vulnerabilities had come to light in January 2018, thereby potentially preventing leakage by ensuring that content from different domains is not shared in the same address space.

How it works

An attacker who is in control of the webpage can know which other pages from the same websites a user is currently browsing, and recover sensitive information from these pages, as well as gather login credentials (usernames and passwords) when users enable autofill. Researchers have also, discover that the attacker can recover data from Chrome Extensions (such as credential managers) if a user installs a malicious extension.

As a ramification, any data kept in the memory of a website being rendered or a Chrome extension can be extracted, which includes personally identifiable information displayed on the website, and auto-filled usernames, passwords and credit card numbers.

Spectre, assigned as CVE-2017-5753 and CVE-2017-5715, is known as a class of hardware vulnerabilities in CPUs that breaks the separation between different applications and allow attackers to trick a program into an accessing arbitrary location associated with its memory space, exploiting it to read the content of accessed memory, and thereof potentially acquire sensitive data.

An observation by Google, highlights that these attacks use the abstract execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use schedule attacks to discover the values kept in the said memory. With this observation, it means that untrustworthy code may be able to read any memory in its process’s address space.

Remediation

While no current patch is available, users are advised to follow recommended best practices such as:

Ensure your Chrome browser is updated to version 92 and later.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: New SpookJS Bypasses Google Chrome Site Location Protection.pdf

References.