SpookJS Attack can Bypass Site Isolation in Chrome Browser

SpookJS Attack can Bypass Site Isolation in Chrome Browser

A group of scientists from universities in Australia, Israel and the United States have presented a side-channel attack that allows you to recover data from Google Chrome and Chromium-based browsers protected by the Site Isolation function.

The attack was named Spook.js (or SpookJS), which is a direct reference to the Meltdown and Specter cpu vulnerabilities discovered in 2018. Although both attacks were demonstrated only as a concept back then, they proved that there are many flaws in the design of modern processors. As a result, Intel and AMD made a commitment to change future designs of their CPUs, making them more secure, and software vendors have increased the protection of their applications to make it more difficult or even to prevent the exploitation of such bugs.

One of the first protective measures to implement was Google, adding a new feature to Chrome called Site Isolation.

This feature splits JavaScript code for each domain, preventing Specter-like JavaScript attacks and stealing information from other open user tabs.

However, scientists have now reported that the current version of Site Isolation is ineffective. Although site isolation separates domains from each other (for example, example.com from attacker.com), subdomains are not isolated (for example, attacker.example.com from login.example.com). Spook.js exploits exactly this flaw in Site Isolation’s design. Moreover, the researchers believe that Google is aware of the problem, but cannot do anything about it, since the separation of JavaScript code at the subdomain level will damage 13.4% of all sites on the Internet.

As a result, the experts managed to create a JavaScript tool Spook.js that allows side-channel attacks like Specter on Chrome and Chromium-based browsers powered by Intel, AMD and Apple M1 processors. The tool extracts data from the same subdomains where the attacked site is located, that is, it will only work if the attacker manages to inject Spook.js on the target resource.

That being said, the researchers especially highlighted that many sites allow users to create their own subdomains and run JavaScript code, such as Tumblr, GitHub, Bitbucket, and many others. In addition, sites can simply be hacked specifically to carry out an attack.

In their report, experts demonstrate the successful compromise of Tumblr and Bitbucket, but also admit that not all sites that support the creation of subdomains have data that is worth stealing at all. For example, Google is of interest in this regard: in this case, scientists created a site in Google Sites, where they uploaded Spook.js to create a malicious page. As a result, they were able to recover images uploaded to the victim’s personal Google Workspace or Google Photo account.

The researchers also packaged Spook.js into a Chrome extension that they loaded into the browser. Since all the code was executed in one process, Spook.js was able to extract data from other extensions, which during the experiment were passwords that were automatically filled by the LastPass extension in the victim’s browser. Of all the attacks, experts considered this the most serious, since users, as a rule, install a large number of extensions, many of which have access to all data, and as a result, Spook.js “sees” all this.

The experts have already notified all the companies whose products they tested (including Intel, AMD, Google, Tumblr, LastPass and Atlassian) about the problem. Google took the findings of the researchers with all seriousness and last summer announced that now Site Isolation will work at the level of extensions, separating their JavaScript code from each other.

Unfortunately, experts point out that this does not help protect against other variations of the Spook.js attack.

“Web developers should immediately separate untrusted user-supplied JavaScript from all other content on the site by placing all user-supplied JavaScript on a different domain. eTLD+1, – say the authors of Spook.js. “Thus, strong isolation will not allow code provided by an attacker to be combined with potentially sensitive data in one process, making it inaccessible even to Spook.js, since it is not able to go outside the process.”

Related Posts