A group of scientists from universities in Australia, Israel and the United States have presented a side-channel attack that allows you to recover data from Google Chrome and Chromium-based browsers protected by the Site Isolation function.
The attack was named Spook.js (or SpookJS), which is a direct reference to the Meltdown and Specter cpu vulnerabilities discovered in 2018. Although both attacks were demonstrated only as a concept back then, they proved that there are many flaws in the design of modern processors. As a result, Intel and AMD made a commitment to change future designs of their CPUs, making them more secure, and software vendors have increased the protection of their applications to make it more difficult or even to prevent the exploitation of such bugs.
One of the first protective measures to implement was Google, adding a new feature to Chrome called Site Isolation.
In their report, experts demonstrate the successful compromise of Tumblr and Bitbucket, but also admit that not all sites that support the creation of subdomains have data that is worth stealing at all. For example, Google is of interest in this regard: in this case, scientists created a site in Google Sites, where they uploaded Spook.js to create a malicious page. As a result, they were able to recover images uploaded to the victim’s personal Google Workspace or Google Photo account.
The researchers also packaged Spook.js into a Chrome extension that they loaded into the browser. Since all the code was executed in one process, Spook.js was able to extract data from other extensions, which during the experiment were passwords that were automatically filled by the LastPass extension in the victim’s browser. Of all the attacks, experts considered this the most serious, since users, as a rule, install a large number of extensions, many of which have access to all data, and as a result, Spook.js “sees” all this.
Unfortunately, experts point out that this does not help protect against other variations of the Spook.js attack.