Security experts have uncovered a cross-origin attack that allows a malicious website from one domain to effectively read the pixels displayed by a website or different domain.
Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle, forming one of the most fundamental security boundaries safeguarding the Internet.
Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other domains.
GPU.zip works only when the malicious attacker's website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:
1. allow cross-origin iframes to be loaded with cookies
2. allow rendering SVG filters on iframes and
3. delegate rendering tasks to the GPU
GPU.zip has not been seen yet and assumes that Web developers properly restrict sensitive pages from being embedded by cross-origin websites. End users who want to check if a page has such restrictions should look for the X-Frame-Options or Content-Security-Policy headers in the source.
Google said that widely adopted headers can prevent sites from being embedded, preventing this attack, and sites using the default SameSite=Lax cookie behaviour receive significant mitigation against leaked personalised data.
These protections and the difficulty and time required to exploit this behaviour significantly mitigate the threat to everyday users. We are in communication and are actively engaging with the reporting researchers. We are always looking to improve protections for Chrome users further."
Intel said the chipmaker has "assessed the researcher findings and determined the root cause is not in its GPUs but third-party software."
Qualcomm said "the issue isn't in our threat model as it more directly affects the browser and can be resolved by the browser application if warranted, so no changes are currently planned." Apple, Nvidia, AMD, and ARM didn't comment on the findings.