Google Chrome hacked - but not by who you’d expect

W3C is considering to promote Google’s suggestions for mitigating side-channel attacks as best practices

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Googlehas put up a proof-of-concept (PoC) code that exploits theSpectre vulnerabilityin Chrome as part of its bid to helpweb developersmitigatebrowser-based side-channel attacks.

This follows last month’s development when Google’s security engineer Mike West wrote a note to the W3C’s Web Application Security Working Group, suggesting recommendations for web developers to write Spectre-resistant code. Reportedly the group is considering officially endorsing West’s recommendation.

“Whileoperating systemand web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking inGoogle Chrome, or Project Fission inFirefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker’s process,” Google security engineers Stephen Röttger and Artur Janc wrote.

Spectre-proof websites

While the duo has used Google Chrome they note that the vulnerabilities are prevalent on all modern web browsers. They explain that the PoC helps demonstrate the practicality of side-channel exploits againstJavaScriptengines.

They’ve also put up awebsiteto interactively depict how the side-channel attacks leaks data. The Google engineers note that while the demo website leaks data at a speed of 1kB/s on Chrome 88 on anIntel Skylake CPU, they tried it on severalother processorsincluding theApple M1as well.

The PoC is just one of the several that Röttger and Janc have created, one leaked data at 8kB/s and another at 60kB/s. The released PoC was chosen because of its “negligible setup time.”

“While we don’t believe this particular PoC can be re-used for nefarious purposes without significant modifications, it serves as a compelling demonstration of the risks of Spectre. In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites,” the developers conclude.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:The Register

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

7 myths about email security everyone should stop believing

Best Usenet client of 2024

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’