You’re not going to love this, but it’s still a good thing that they found it.
Per a research paper published by Cornell University, a group of security researchers have discovered what appears to be the first browser side-channel attack that’s Javascript-free, and Apple
M1 chips may be more vulnerable to it.
The attack is constructed entirely from HTML and CSS, has been described as “architecturally agnostic,” and the researchers say they’ve found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs.
The group said they began with the goal of exploring how effective an attack would be should JavaScript be restricted or disabled within the attack.
Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to “microarchitectural website fingerprinting attacks.” It works even if script execution is completely blocked on a browser, they said.
This vulnerability could allow an attacker to monitor a user’s web activity by disregarding privacy technologies such as VPNs or TOR.
The team, which was made up of researchers at the University of Michigan, University of the Negev, and University of Adelaide, say that they tested the attack on Intel Core, AMD Ryzen, Samsung Exynos, and Apple M1 architectures. While almost all CPU architectures are susceptible to the attack, the teach stated that Apple’s M1 and Samsung Exynos chips may be a bit more vulnerable to their exploits.
“Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies,” the researchers wrote.
Additionally, secure browsers such as Tor, Deter-Fox, and Chrome Zero were discovered to be at least somewhat vulnerable to their CSS and HTML attack.
The researchers have notified each chipmaker of their findings. Apple, in response, has stated that the public disclosure of the attack didn’t raise any concerns.
The researchers stated that the attack could be mitigated with either software or hardware updates, and offered the following analysis:
“The root cause of microarchitectural side-channels is the sharing of microarchitectural components across code executing in different protection domains. Hence, partitioning the state, either spatially or temporally, can be effective in preventing attacks. Partitioning can be done in hardware or by the operating system”
The research described in the paper is more of a proof of concept that side-channel attacks are hard to prevent. At this point, it doesn’t appear like this type of vulnerability is actively being exploited in the wild on Apple Silicon.
Given that Apple was provided a copy of the research prior to its publication, it seems likely that the company could be exploring the severity of the issue. As such, a fix, either via Safari or macOS, could be en route in the future.
Stay tuned for additional details as they become available.
Via AppleInsider and The 8-Bit