Google Chrome hacked - but not by who you'd expect

News
By published

W3C is considering to promote Google’s suggestions for mitigating side-channel attacks as best practices

Spectre and meldown
(Image credit: Graz University of Technology)

Google has put up a proof-of-concept (PoC) code that exploits the Spectre vulnerability in Chrome as part of its bid to help web developers mitigate browser-based side-channel attacks.

This follows last month’s development when Google’s security engineer Mike West wrote a note to the W3C's Web Application Security Working Group, suggesting recommendations for web developers to write Spectre-resistant code. Reportedly the group is considering officially endorsing West’s recommendation.

“While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker's process,” Google security engineers Stephen Röttger and Artur Janc wrote.

Spectre-proof websites

While the duo has used Google Chrome they note that the vulnerabilities are prevalent on all modern web browsers. They explain that the PoC helps demonstrate the practicality of side-channel exploits against JavaScript engines. 

They’ve also put up a website to interactively depict how the side-channel attacks leaks data. The Google engineers note that while the demo website leaks data at a speed of 1kB/s on Chrome 88 on an Intel Skylake CPU, they tried it on several other processors including the Apple M1 as well.

The PoC is just one of the several that Röttger and Janc have created, one leaked data at 8kB/s and another at 60kB/s. The released PoC was chosen because of its “negligible setup time.”

“While we don't believe this particular PoC can be re-used for nefarious purposes without significant modifications, it serves as a compelling demonstration of the risks of Spectre. In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites,” the developers conclude.

Via: The Register

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
Latest in Software & Services
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
A person at a desktop computer working on spreadsheet tables.
Trello vs Jira: which project management solution is best for you?
Autonomous finance
Quickbooks vs Quicken: what are the main strengths and weaknesses for your business
finance
Quickbooks vs Xero: which is the best for your business?
Group of people meeting
Zoom vs Google Meet: which is the best video conferencing tool for your business?
Fingers typing on a computer keyboard.
Microsoft 365 Personal vs Microsoft 365 Family: are there any real differences?
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
More about software services
A person at a desktop computer working on spreadsheet tables.

Trello vs Jira: which project management solution is best for you?
finance

Quickbooks vs Xero: which is the best for your business?
ViewSonic VP2788-5K Display

Viewsonic's 5K monitor finally goes on sale, but is it already too little too late to make a splash?

See more latest
Most Popular
ViewSonic VP2788-5K Display
Viewsonic's 5K monitor finally goes on sale, but is it already too little too late to make a splash?
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Maxtang SXRL-20 mini pc
This fanless PC looks like a giant heatsink and has one incredible feature: five, yes five, 4K-capable HDMI ports
Aoostar G-flip 370
There's no need for a monitor with this Ryzen AI-powered mini PC
The Ryzen AI Max+ 395 could power the latest generation of powerful mini PCs
This prototype mini PC demonstrates a massive leap forward for integrated graphics in a console form factor
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Minisforum AI X1 mini PC
Tiny Mac Mini rival can power four 8K monitors, and is the first mini PC to receive AMD's powerful Ryzen 7 260 APU
AOOSTAR G-FLIP mini PC
AMD powers the world's fastest all-in-one PC, and yes, I've probably overstretched the definition of AIO PC just a tiny bit
26TB WD Red Pro HDD
Western Digital introduces 26TB WD Red Pro HDDs for RAID and NAS systems at a surprisingly low price