New SpookJS Attack Bypasses Google Chrome’s Site Isolation Protection

Cyber Security

A newly discovered side-channel attack demonstrated on modern processors can be weaponized to successfully overcome Site Isolation protections weaved into Google Chrome and Chromium browsers and leak sensitive data in a Spectre-style speculative execution attack.

Dubbed “Spook.js” by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, the technique is a JavaScript-based line of attack that specifically aims to get around barriers Google put in place after Spectre, and Meltdown vulnerabilities came to light in January 2018, thereby potentially preventing leakage by ensuring that content from different domains is not shared in the same address space.

“An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled,” the researchers said, adding “the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension.”

As a consequence, any data stored in the memory of a website being rendered or a Chrome extension can be extracted, including personally identifiable information displayed on the website, and auto-filled usernames, passwords, and credit card numbers.

Spectre, designated as CVE-2017-5753 and CVE-2017-5715, refers to a class of hardware vulnerabilities in CPUs that breaks the isolation between different applications and permits attackers to trick a program into accessing arbitrary locations associated with its memory space, abusing it to read the content of accessed memory, and thus potentially obtain sensitive data.

“These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory,” Google noted. “Effectively, this means that untrustworthy code may be able to read any memory in its process’s address space.”

Site Isolation, rolled out in July 2018, is Google’s software countermeasure designed to make the attacks harder to exploit, among others that involve reducing timer granularity. With the feature enabled, Chrome browser versions 67 and above will load each website in its own process, and as a result, thwart attacks between processes, and thus, between sites.

However, researchers of the latest study found scenarios where the site isolation safeguards do not separate two websites, effectively undermining Spectre protections. Spook.js exploits this design quirk to result in information leakage from Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors.

“Thus, Chrome will separate ‘example.com’ and ‘example.net’ due to different [top-level domains], and also ‘example.com’ and ‘attacker.com.'” the researchers explained. “However, ‘attacker.example.com’ and ‘corporate.example.com’ are allowed to share the same process [and] this allows pages hosted under ‘attacker.example.com’ to potentially extract information from pages under “corporate.example.com.'”

“Spook.js shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks,” the researchers added. That said, as with other Spectre variants, exploiting Spook.js is difficult, requiring substantial side-channel expertise on the part of the attacker.

In response to the findings, the Chrome Security Team, in July 2021, extended Site Isolation to ensure that “extensions can no longer share processes with each other,” in addition to applying them to “sites where users log in via third-party providers.” The new setting, called Strict Extension Isolation, is enabled as of Chrome versions 92 and up.

“Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1,” the researchers said. “This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries.”