Critical GPU Vulnerability Could Expose Sensitive User Data

In a groundbreaking discovery, researchers have unearthed an alarming vulnerability that shines a spotlight on all major GPU manufacturers, including Apple, Intel, AMD, Arm, Qualcomm, and Nvidia.

This new attack, dubbed GPU.zip, threatens user privacy by allowing malicious websites to discern and read pixels from other websites, potentially exposing usernames, passwords and other sensitive information.

Bypassing the 'Same Origin Policy'

The attack sidesteps the pivotal "same origin policy" security measure, which traditionally ensures that content from one website remains insulated from all other domains.

Under normal circumstances, this policy would stop websites from scrutinizing data from other sites, including content, source codes and the end visual products. However, GPU.zip has demonstrated that this is no longer an absolute assurance.

The Role of 'Iframe'

By exploiting the data compression techniques GPUs use to augment performance, the attack acts as a sneaky side channel to capture pixels one at a time.

A key to this method is the use of an iframe, a standard HTML element often used to embed external content like ads or images. While most sites that house sensitive data block cross-origin embedding, some, such as Wikipedia, do not. This loophole makes sites like Wikipedia vulnerable to the attack, revealing information like usernames.

Impact on Chromium Browsers

Although the attack only works on Chromium-based browsers like Chrome and Edge, its implications are profound. The methodology varies slightly depending on the GPU manufacturer, given the distinct data compression schemes they utilize.

After meticulously reverse-engineering each scheme, researchers concluded that, while execution time differed, the pixel capture accuracy remained consistently high, hovering near 100%.

A Call for Robust Defenses

Yingchen Wang, the principal researcher from the University of Texas at Austin, delved deeper into the mechanics of the attack, stating: "We found that modern GPUs automatically try to compress this visual data, without any application involvement. This is done to save memory bandwidth and improve performance. Since compressibility is data dependent, this optimization creates a side channel which can be exploited by an attacker to reveal information about the visual data."

This discovery poses urgent questions about the privacy measures in place and underscores GPU manufacturers' need to bolster their defenses against such vulnerabilities.