A potentially scary, though difficult to implement side-channel attack that could allow malicious websites to read and extract sensitive data has broken cover. The vulnerability affects all GPU manufacturers across devices ranging from PCs, to laptops and phones.
According to a paper released by researchers from four American universities (via Ars Technica), the so-called GPU.zip attack relates to GPU compression data. This is proprietary so it would require a hacker to have a deep knowledge of GPU compression algorithms, which are closed in nature and would require reverse engineering. That’s no mean feat for a start.
A malicious website can then use a cross-origin SVG (scalable vector graphics) filter to read the pixels displayed by another website. It works by visiting a website with embedded iframe HTML elements. The iframe links to the cross-origin webpage allowing a hacker to extract information as it appears on the screen, one pixel at a time.
But it’s also web browser dependent. According to the researchers, Firefox and Safari don’t meet the requirements for GPU.zip to work, so chalk one up to them I guess.
As for a fix, it’s believed the GPU manufacturers are pushing for a software solution. In a statement provided to Bleeping Computer, an Intel spokesperson was quoted as saying: “While Intel hasn’t had access to the researcher’s full paper, we assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third party software.”
There’s no need to panic. Hackers have much easier ways of stealing your data, being the lazy grubs they are. Most websites hosting sensitive information don’t allow cross-origin embedding in the first place. Though the proof-of-concept attack was done via Wikipedia, so it’s not just super obscure sites.
While this attack is not one that will require you to immediately pull the power plug on your PC, it’s just another reminder of the ongoing security arms race. It’s another example of hardware optimizations opening up vulnerabilities to side-channel attacks.
New and novel ways to rip people off will never stop. So yeah, always keep your software and OS up to date, and steer clear of particular dodgy websites.