Researchers at Graz University of Technology (TU Graz) have uncovered a significant security vulnerability in web browsers' graphics processing unit (GPU) interfaces, potentially compromising users' privacy and security. Through malicious JavaScript code utilizing WebGPU, attackers can exploit this vulnerability to spy on sensitive information, including keystrokes and encryption keys, without user interaction.
Despite being under active development, WebGPU is already supported by major browsers like Chrome, Chromium, Microsoft Edge, and Firefox Nightly versions. However, the TU Graz research team warns that this access to GPU resources poses serious security risks and urges browser manufacturers to address this issue promptly.
The attacks conducted by the researchers targeted systems with various NVIDIA and AMD graphics cards, exploiting the computer's cache memory accessible via WebGPU. By monitoring cache changes, the attackers could infer security-sensitive information, such as keystrokes and AES encryption keys.
The team demonstrated three distinct attacks, including cache monitoring for keystroke analysis, establishing a covert communication channel using cache segmentation, and compromising AES encryption by identifying encryption key locations in the system.
While the AES attack may be more complex under real-world conditions, the researchers emphasize the precision of their techniques and the potential implications for security. They have notified browser manufacturers of their findings and advocate for enhanced security measures in the development of WebGPU to mitigate these risks effectively.
More: https://techxplore.com/news/2024-04-vulnerability-browser-interface-access-graphics.html
