Security researchers have discovered what appears to be the first browser side-channel attack that's Javascript-free, and Apple M1 chips may be more vulnerable to it.
Credit: Andrew O'Hara, AppleInsider
The attack is built entirely from HTML and CSS, and is described as "architecturally agnostic." The researchers say they've found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs, according to The 8-Bit.
According to a research paper published by Cornell University, the researchers say they started with the goal of exploring how effective disabling or restricting JavaScript could be in mitigating attacks.
Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to "microarchitectural website fingerprinting attacks." It works even if script execution is completely blocked on a browser, they said.
The vulnerability could allow an attacker to eavesdrop on a user's web activity by leveraging features in the target's packet sequence. Not only can it bypass JavaScript being disabled, but it also disregards privacy technologies like VPNs or TOR.
The team, made up of researchers at the University of Michigan, University of the Negev, and University of Adelaide, say that they tested the attack on Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. Interestingly, while almost all CPU architectures are susceptible to the attack, the researchers claim that Apple's M1 and Samsung Exynos chips may be a bit more vulnerable to their exploits.
"Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies," the researchers wrote.
Even secure browsers like Tor, Deter-Fox, and Chrome Zero were found to be at least somewhat vulnerable to their CSS and HTML attack.
However, for the M1 chip, the team notes that the memory and cache subsystems of the Apple Silicon has yet to be studied in detail. Because of that, there may be a "grace period" in which attackers in the wild may find it difficult to target the Apple chips.
The researchers notified each chipmaker of their findings. In a statement to the researchers, Apple said the public disclosure of the attack didn't raise any concerns.
As far as potential fixes, the researchers say that the attack can be mitigated with either software or hardware updates. "The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system," they wrote.
This is the second vulnerability found to affect Apple's M1 chip that has surfaced in as many months. In February, researchers discovered a mysterious malware strain called Silver Sparrow that had the ability to run natively on Mac devices with M1 chips.
Who's at risk, and how to protect yourself
The research described in the paper is more of a proof of concept that side-channel attacks are hard to prevent. At this point, it doesn't appear like this type of vulnerability is actively being exploited in the wild on Apple Silicon.
Because Apple was provided a copy of the research prior to publication, it's likely that the company is actively looking into the severity of the vulnerability. A fix for it, either in Safari or macOS, may arrive in the future.