Security researchers have discovered what appears to be the first browser side-channel attack that's Javascript-free, and Apple M1 chips may be more vulnerable to it.
The attack is built entirely from HTML and CSS, and is described as "architecturally agnostic." The researchers say they've found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs, according to The 8-Bit.
According to a research paper published by Cornell University, the researchers say they started with the goal of exploring how effective disabling or restricting JavaScript could be in mitigating attacks.
Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to "microarchitectural website fingerprinting attacks." It works even if script execution is completely blocked on a browser, they said.
The vulnerability could allow an attacker to eavesdrop on a user's web activity by leveraging features in the target's packet sequence. Not only can it bypass JavaScript being disabled, but it also disregards privacy technologies like VPNs or TOR.
The team, made up of researchers at the University of Michigan, University of the Negev, and University of Adelaide, say that they tested the attack on Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. Interestingly, while almost all CPU architectures are susceptible to the attack, the researchers claim that Apple's M1 and Samsung Exynos chips may be a bit more vulnerable to their exploits.
"Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies," the researchers wrote.
Even secure browsers like Tor, Deter-Fox, and Chrome Zero were found to be at least somewhat vulnerable to their CSS and HTML attack.
However, for the M1 chip, the team notes that the memory and cache subsystems of the Apple Silicon has yet to be studied in detail. Because of that, there may be a "grace period" in which attackers in the wild may find it difficult to target the Apple chips.
The researchers notified each chipmaker of their findings. In a statement to the researchers, Apple said the public disclosure of the attack didn't raise any concerns.
As far as potential fixes, the researchers say that the attack can be mitigated with either software or hardware updates. "The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system," they wrote.
This is the second vulnerability found to affect Apple's M1 chip that has surfaced in as many months. In February, researchers discovered a mysterious malware strain called Silver Sparrow that had the ability to run natively on Mac devices with M1 chips.
Who's at risk, and how to protect yourself
The research described in the paper is more of a proof of concept that side-channel attacks are hard to prevent. At this point, it doesn't appear like this type of vulnerability is actively being exploited in the wild on Apple Silicon.
10 Comments
So, affects pretty much everybody.
Chrome Zero - the browser you can't find in a Google Search, but plenty of zero-day reports! Well done! :D
So they discovered the government’s “back door”
At least as described in the paper, this finding isn't that alarming on it's own. It's impressive that they could do it, but the information they can glean (at this point) is relatively trivial. They can high a high degree of certainty predicted whether you have recently visited a web page--that they themselves have accessed. So if today I went to page with their exploit, if they were checking whether I had recently been to the AI home page, they would be able to predict that I had. That's not great, but it's not putting anything I care about (except my browsing habits) at risk. The key parts are a) they have to "ask" about a particular page, b) they have to have the contents of that page, and c) all they get back is an estimate of the likelihood that I frequent that page. Again, that's very impressive and creepy, but for most people this isn't a serious exploit.
It seems like this is primarily a software bug rather than a hardware one and as such should be able to be patched with an update.
I don't even understand how a HTML/CSS exploit could affect a computer at the microprocessor level. Seems mental.