New SpookJs Attack Bypasses Google Chrome’s Site Isolation Protection

A newly discovered side-channel attack demonstrated on modern
processors can be weaponized to successfully overcome Site Isolation protections^[1] weaved into Google
Chrome and Chromium browsers and leak sensitive data in a Spectre-style^[2]
speculative execution^[3]
attack.

Dubbed “Spook.js^[4]” by academics from the
University of Michigan, University of Adelaide, Georgia Institute
of Technology, and Tel Aviv University, the technique is a JavaScript-based
line of attack^[5]
that specifically aims to get around barriers Google put in place
after Spectre, and Meltdown vulnerabilities came to light in
January 2018, thereby potentially preventing leakage by ensuring
that content from different domains is not shared in the same
address space.

“An attacker-controlled webpage can know which other pages from
the same websites a user is currently browsing, retrieve sensitive
information from these pages, and even recover login credentials
(e.g., username and password) when they are autofilled,” the
researchers said, adding “the attacker can retrieve data from
Chrome extensions (such as credential managers) if a user installs
a malicious extension.”

As a consequence, any data stored in the memory of a website
being rendered or a Chrome extension can be extracted, including
personally identifiable information displayed on the website, and
auto-filled usernames, passwords, and credit card numbers.

Spectre, designated as CVE-2017-5753 and CVE-2017-5715, refers
to a class of hardware vulnerabilities in CPUs that breaks the
isolation between different applications and permits attackers to
trick a program into accessing arbitrary locations associated with
its memory space, abusing it to read the content of accessed
memory, and thus potentially obtain sensitive data.

“These attacks use the speculative execution features of most
CPUs to access parts of memory that should be off-limits to a piece
of code, and then use timing attacks to discover the values stored
in that memory,” Google noted^[6]. “Effectively, this
means that untrustworthy code may be able to read any memory in its
process’s address space.”

Site Isolation, rolled out in July 2018, is Google’s software
countermeasure designed to make the attacks harder to exploit,
among others that involve reducing timer granularity. With the
feature enabled, Chrome browser versions 67 and above will load
each website in its own process, and as a result, thwart attacks
between processes, and thus, between sites.

However, researchers of the latest study found scenarios where
the site isolation safeguards do not separate two websites,
effectively undermining Spectre protections. Spook.js exploits this
design quirk to result in information leakage from Chrome and
Chromium-based browsers running on Intel, AMD, and Apple M1
processors.

“Thus, Chrome will separate ‘example.com’ and ‘example.net’ due
to different [top-level domains], and also ‘example.com’ and
‘attacker.com.'” the researchers explained. “However,
‘attacker.example.com’ and ‘corporate.example.com’ are allowed to
share the same process [and] this allows pages hosted under
‘attacker.example.com’ to potentially extract information from
pages under “corporate.example.com.'”

“Spook.js shows that these countermeasures are insufficient in
order to protect users from browser-based speculative execution
attacks,” the researchers added. That said, as with other Spectre
variants, exploiting Spook.js is difficult, requiring substantial
side-channel expertise on the part of the attacker.

In response to the findings, the Chrome Security Team, in
July 2021^[7], extended Site Isolation
to ensure that “extensions can no longer share processes with each
other,” in addition to applying them to “sites where users log in
via third-party providers.” The new setting, called Strict
Extension Isolation, is enabled as of Chrome versions 92 and
up.

“Web developers can immediately separate untrusted,
user-supplied JavaScript code from all other content for their
website, hosting all user-supplied JavaScript code at a domain that
has a different eTLD+1^[8],” the researchers said.
“This way, Strict Site Isolation will not consolidate
attacker-supplied code with potentially sensitive data into the
same process, putting the data out of reach even for Spook.js as it
cannot cross process boundaries.”