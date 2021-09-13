New attack to bypass site isolation in Chrome introduced

Alexander Antipov

Spook.js is a JavaScript-based attack designed to bypass Google’s Specter protection mechanisms.

The new Specter-like side-channel attack on modern processors successfully bypasses site isolation (a security feature implemented in Google Chrome and other Chromium-based browsers) and steals sensitive data.

The attack, dubbed Spook.js, was developed by a team of scientists from the University of Michigan, Georgia Institute of Technology (USA), University of Adelaide (Australia) and Tel Aviv University (Israel).

Spook.js is a JavaScript-based attack technique specifically aimed at bypassing the defenses Google implemented after the Specter and Meltdown vulnerabilities were discovered in January 2018. These mechanisms prevent potential leaks by ensuring that content from different domains is not shared in the same address space.

According to the researchers, web pages controlled by attackers can know what other pages on the same site the user is viewing, extract sensitive information from them, and even recover credentials if they were entered using the auto-complete feature. If a user has installed a malicious Chrome extension, cybercriminals can also extract data from it. As a result, hackers can display any data stored in the site’s memory or extract it from a malicious extension.

Specter (CVE-2017-5753 and CVE-2017-5715) is the name of a class of hardware vulnerabilities in central processing units that breaks the isolation between applications. Vulnerabilities allow attackers to force a program to access arbitrary sections of memory allocated to it, read the contents of these sections of memory, and potentially steal sensitive data.

In July 2018, Google implemented site isolation software countermeasures in Chrome against Specter attacks. With Site Isolation enabled, Chrome 67 and later load each site in a separate process to prevent cross-process attacks, and thus cross-site attacks.

However, recently, experts have discovered scenarios where site isolation does not separate the two sites and makes possible the Specter-like Spook.js attack, which allows data to be stolen from Chrome and other Chromium-based browsers running on computers with Intel, AMD, and Apple M1 processors.

“Chrome separates ‘example.com’ and ‘example.net’ because they have different top level domains, the same goes for ‘example.com’ and ‘attacker.com.’ However, ‘attacker.example.com’ and ‘corporate.example.com’ are allowed to have the same process, so that the pages of the ‘attacker.example.com’ site can potentially extract information from the pages of the ‘corporate.example.com’ site, “they said researchers.

In response to research in July 2021, the Chrome security team extended site isolation so that “extensions can no longer share processes.” The new Strict Extension Isolation setting is enabled in Chrome 92 and later.