SpookJS Attack Allows to Bypass Site Isolation In Google Chrome

Site Isolation in Google Chrome

A group of scientists from universities in Australia, Israel and the United States have presented a side-channel attack that allows recovering data from Google Chrome and Chromium-based browsers protected by the Site Isolation function.

The attack is dubbed Spook.js (or SpookJS), which is a direct reference to the Meltdown and Specter processor vulnerabilities discovered in 2018. Although both attacks were demonstrated only as a concept back then, they proved that there are many flaws in the design of modern processors.

As a result, Intel and AMD made a commitment to change future designs of their CPUs, making them more secure, and software vendors have increased the protection of their applications to make it more difficult or even to prevent the exploitation of such bugs.

Google was one of the first companies to implement defenses, adding a new feature to Chrome called Site Isolation. This feature splits JavaScript code for each domain, preventing Specter-like JavaScript attacks and stealing information from other open user tabs.

However, scientists have now reported that the current version of Site Isolation is ineffective. Although site isolation separates domains from each other (for example, example.com from attacker.com), subdomains are not isolated (for example, attacker.example.com from login.example.com). Spook.js exploits this very flaw in Site Isolation’s design. Moreover, the researchers believe that Google is aware of the problem, but cannot do anything about it, since the separation of JavaScript code at the subdomain level will damage 13.4% of all sites on the Internet.

As a result, the experts managed to create a JavaScript tool Spook.js that allows side-channel attacks like Specter on Chrome and Chromium-based browsers running on Intel, AMD and Apple M1 processors. The tool extracts data from the same subdomains where the attacked site is located, that is, it will only works if the attacker manages to inject Spook.js on the target resource.

As being said, the researchers especially highlighted that many sites allow users to create their own subdomains and run JavaScript code, such as Tumblr, GitHub, Bitbucket, and many others. In addition, sites can simply be hacked specifically to carry out an attack.

In their report, experts demonstrate the successful compromise of Tumblr and Bitbucket, but also admit that not all sites that support the creation of subdomains have data that is worth stealing at all. For example, Google is of interest in this regard: in this case, scientists created a site in Google Sites, where they uploaded Spook.js to create a malicious page. As a result, they were able to recover images uploaded to the victim’s personal Google Workspace or Google Photo account.

The researchers also packaged Spook.js into a Chrome extension that they loaded into the browser. Since all the code was executed in one process, Spook.js was able to extract data from other extensions, which during the experiment were passwords that were automatically filled by the LastPass extension in the victim’s browser. Of all the attacks, experts considered this the most serious, since users, as a rule, install a large number of extensions, many of which have access to all data, and as a result, Spook.js “sees” all this.

The experts have already notified all the companies whose products they tested (including Intel, AMD, Google, Tumblr, LastPass and Atlassian) about the problem. Google took the findings of the researchers seriously and announced last summer that Site Isolation will now work at the extension level, separating their JavaScript code from each other.

Unfortunately, experts point out that this does not help defend against other variations of the Spook.js attack.

Web developers should immediately separate untrusted user-supplied JavaScript from all other content on the site by placing all user-supplied JavaScript on a domain with a different eTLD + 1. Thus, strong isolation will not allow the code provided by an attacker to be combined in one process with potentially confidential data, making it inaccessible even to Spook.js, since it is not able to go outside the process.the authors of Spook.js say.

Let me remind you that I also reported that New vulnerabilities help to bypass protection from Specter on Linux systems.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *