A group of researchers from the American, Australian and Israeli universities offered new technology side-channel attack to exploit vulnerabilities class Spectre in browsers based on the Chromium engine. The attack, which received the code name Spook.js , allows you to run through the JavaScript-code circumvent the isolation sites and read the contents of the entire address space of the current process, those. to access the data pages that are running in other tabs, but processed in a single process.
Since Chrome will run different sites in different processes, the possibility of the practical attack is limited to services that allow different users to post their own pages. The method makes it possible from the page in which the attacker has the ability to build your find JavaScript-code to determine the presence of other users of open pages from the same site, and extract from them sensitive information, such as account details or bank details, the substituted AutoComplete system in the web-form. As a demonstration shows how you can attack someone else’s blog to Tumblr service if the owner will open in another tab malicious blog that is located in the same service.
Another embodiment of the method is an attack on browser add-ons, allowing when you install add-ons, controlled by an attacker to extract the data from the other add-ons. As an example, shows how to install malware addition, you can extract confidential information from the LastPass password manager.
researchers have published exploit prototype, working in Chrome 89 on a CPUIntel i7-6700K and i7-7600U systems. When you create the exploit used previously published by Google prototypes JavaScript-code to commit Spectre class of attacks. It is noted that the researchers were able to prepare the working exploits for systems based on Intel and Apple M1 processors, which are given the opportunity to organize the memory reading at 500 bytes per second and up to 96%. It is assumed that the method can be used for AMD processors, but it was not possible to prepare a fully functional exploit.