Boffins devised a transient side-channel attack on modern processors, “Spook.js,” that can be abused by threat actors to bypass Site Isolation protections implemented in Google Chrome and Chromium browsers.
The attack was discovered by researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University
“An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled, the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension”
In January 2018, a team of expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to break the isolation between different applications and steal sensitive data processed by the CPU.
Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.
Google implemented the Site Isolation to mitigate Spectre-like attacks, anyway it is important to understand that the feature can only attempt to limit information leakage by separating the contents of different websites into different processes.
The feature was enabled in Chrome 67 and above allowing to load each website in its own process.
The researcher discovered some cases where the site isolation fails in separating two websites opening the doors to Spectre attacks.
Spook.js attack works against Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors, it uses a type confusion attack that allows it to target the entire address space.
“For example, Chrome will separate example.com and example.net as their top-level-domains, .net and .com, are different. example.com and attacker.com are also separated into different processes due to a difference in their first sub-domains (example and attacker). Finally, store.example.com and corporate.example.com are allowed to share the same process since they both share the same eTLD+1, example.com. Origin Isolation.” continues the experts. “We note that Chrome could have opted for a stricter isolation, using the website’s entire origin. However, origin isolation might break a non-negligible amount of websites, as 13.4% of page loads modify their origin via document.domain.”
The experts deployed Spook.js on a Tumblr blog, targeting a password that was autofilled into Tumblr’s login page by Chrome’s built-in credential manager. They published a video PoC of the attack that shows that our blog can be rendered by the same Chrome process as the login page allowing the Spook.js to recover the password.
In another attack scenario, the researchers packaged Spook.js as a Chrome extension and under certain conditions, they demonstrated that multiple extensions may be consolidated and executed from the same process. In the attack proposed by the researchers, they were able to read the memory of the LastPass credential manager extension, and recover the master password of the target’s vault.
The researchers shared their findings with Google, that in July 2021, applied some changes to Site Isolation to ensure that extensions can no longer share processes with each other, it also applied them to sites where users log in via third-party providers. The new Site Isolation feature, called Strict Extension Isolation, is enabled as of Chrome versions 92 and up.
“The fundamental weakness that Spook.js exploits is the differences in the security models of strict site isolation and the rest of the web ecosystem at large. On the one hand, strict site isolation considers any two resources served from the same eTLD+1 to always be in the same security domain. On the other hand, the rest of the web enjoys a much finer-grained definition of the security domain, often known as the same-origin policy. The same-origin policy only considers two resources are to be in the same security domain if the entire domain name is identical” concludes the researchers.
(SecurityAffairs – hacking, Spook.Js)