The new Spook.js attack can allow attackers to bypass Chrome defenses

The side-channel attack could avoid Google Chrome’s protections against Spectre-style exploits

The side-channel attack shows a modern approach of weaponizing processors to overcome the site isolation protections.

New discovery was made when a side-channel attack was found targeting Google Chrome.^[1] The infection can allow a possible attacker to overcome an internet browser's security defenses. While doing that, sensitive information could be retrieved in what's called a Spectre-style attack. The recent discovery was named Spook.js and is speculated to cause a threat with credentials and personal data.

Researchers published a detailed analysis on the matter in the paper titled Spook.js:Attacking Chrome Strict Site Isolation via Speculative Execution. The found technique of threat is a JavaScript-based line of attack that aims to get around the barriers Google put out after Spectre and Meltdown vulnerabilities in January 2018. The barriers, in theory, should prevent any leakage by ensuring that content from different domains is not shared in the same address space.^[2]

With new discovery, now an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these sites, and even recover login credentials when they are auto-filled. To put it simply, an attacker could retrieve data from Chrome extensions if a user installs a malicious add-on. Any data stored in the memory of a website being rendered could be extracted.

Spectre and Meltdown attacks hit global headlines back in the day

Meltdown and Spectre attacks were no ordinary bugs. Back when originally discovered, Meltdown could hack all Intel x86 microprocessors and IBM Power processors, as well as some ARM-based processors. Spectre and its many variations added Advanced Micro Devices (AMD) processors to that list. In other words, nearly the whole world of computing was vulnerable.^[3]

Fixing and covering up such huge vulnerabilities is usually difficult as computing speed could be impacted. Later on, it was discovered that security patches were needed not just from the processor makers but from those further down the supply chain, like Apple or Microsoft themselves. After some time has passed, researchers summed up that Spectre and Meltdown are the results of the difference between what software is supposed to do and what it actually does.

As time has passed since major global Spectre and Meltdown attacks, browser vendors deployed various countermeasures in order to make these types of attacks harder to exploit. For instance, Google Chrome introduced Strict Site Isolation, which should prevent different pages from sharing the same process. It also partitioned the address space of each process into different 32-bit sandboxes.

Google Chrome often faces security issues

Google Chrome has over two billion users globally and is the leader of the internet browser market. At the same time, it makes it the prime target of hackers. Google often shares new discoveries on high-rated security threats that have been discovered in Chrome with the vulnerabilities impacting users on all major operating systems: Windows, MacOS, and Linux. Such updates are frequent but their effectiveness relies upon billions of users updating and restarting their browsers.^[4]

Security experts advise to follow safe internet browsing rules, check each visited site safety, remove unwanted ads and pop-ups. Site isolation features could be used as well, in order to add a layer of protection against some types of security vulnerabilities. The site isolation feature makes it harder for untrustworthy websites to access or steal information from your accounts on other websites.^[5]