Almost all top GPUs are at risk of this dangerous cyberattack - here's what you need to know

security
Image Credit: Pixabay (Image credit: Pixabay)

A flaw in GPU units from all major manufacturers could allow hackers to read sensitive data displayed in browsers, experts have warned. 

The vulnerability in question is called GPU.zip, and allows for cross-origin attacks. In essence, a hacker could create a malicious website that tracks how long the GPU takes to render a separate website, and use that information to reconstruct that second page, pixel by pixel. That way, the malicious website could read sensitive content such as usernames, passwords, and other sensitive data.

This is a brutal oversimplification of the findings, and those who would like to learn more about the technical aspects of the flaw should read the paper here. However, GPU vendors have downplayed the importance of the findings and argue that it’s not something that needs addressing - at least not from their end.

"Soft" reaction from the OEMs

Even the media are suggesting that abusing the vulnerability is a long shot, because plenty of conditions need to be met for the attack to be successful. 

Firstly, the browser must allow cross-origin iframes to be loaded with cookies, SVG filters to be rendered on them, and delegate rendering tasks to the GPU. It’s also worth mentioning that the flaw only works on Chrome and Edge browsers; Safari and Firefox are both safe. 

Google has already responded to the claims, saying that, “widely adopted headers can prevent sites from being embedded, which prevents this attack,” adding that it has no plans to make any changes. 

Intel also added that the problem is not with the GPUs themselves but with third-party software, and thus would not be taking action. For Qualcomm, “the issue isn’t in our threat model” as it “can be resolved by the browser application.”

Via Ars Technica

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Digital image of a lock.
Nvidia systems could be facing another worrying security flaw
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
Security
Intel slams Nvidia and AMD, claims chip giants have huge numbers of security flaws
Location Data
Cloudflare CDN flaw could expose user location simply by sending an image
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Latest in Security
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Latest in News
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'
Elayne, Egwene, and Nynaeve dressed regally and on horseback in The Wheel of Time season 3
'There's a reason why we do it': The Wheel of Time showrunner responds to fans who are still upset over the Prime Video show's plot alterations
Google Pixel 9
Android 16 could bring an improved Samsung DeX-style desktop mode to more phones
An Nvidia GeForce RTX 4060 Ti
Nvidia could unleash RTX 5060 and 5060 Ti GPUs on PC gamers tomorrow, but there’s no sign of rumored RTX 5050 yet
AI writing
ChatGPT just wrote the most beautiful short story, and I wonder what I'm even doing here
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit