this post was submitted on 26 Sep 2023
304 points (98.4% liked)

Technology

71623 readers
3441 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
304
GPUs from all major suppliers are vulnerable to new pixel-stealing attack (arstechnica.com)
submitted 2 years ago by geosoco@kbin.social to c/technology@lemmy.world
33 comments fedilink hide all child comments
 

GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.

The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.

...

The security threats that can result when HTML is embedded in iframes on malicious websites have been well-known for more than a decade. Most websites restrict the cross-origin embedding of pages displaying user names, passwords, or other sensitive content through X-Frame-Options or Content-Security-Policy headers. Not all, however, do. One example is Wikipedia, which shows the usernames of people who log in to their accounts. A person who wants to remain anonymous while visiting a site they don’t trust could be outed if it contained an iframe containing a link to https://en.wikipedia.org/wiki/Main_Page.

Pixel stealing PoC for deanonymizing a user, run with other tabs open playing video. “Ground Truth” is the victim iframe (Wikipedia logged in as “Yingchenw”). “AMD” is the attack result on a Ryzen 7 4800U after 30 minutes, with 97 percent accuracy. “Intel” is the attack result for an i7-8700 after 215 minutes with 98 percent accuracy.

The researchers showed how GPU.zip allows a malicious website they created for their PoC to steal pixels one by one for a user’s Wikipedia username. The attack works on GPUs provided by Apple, Intel, AMD, Qualcomm, Arm, and Nvidia. On AMD’s Ryzen 7 4800U, GPU.zip took about 30 minutes to render the targeted pixels with 97 percent accuracy. The attack required 215 minutes to reconstruct the pixels when displayed on a system running an Intel i7-8700.

...

all 38 comments
sorted by: hot top controversial new old
[–] mojo@lemm.ee 129 points 2 years ago (3 children)

Should clarify this only affects Chromium browsers

[–] ryannathans@aussie.zone 90 points 2 years ago (1 children)

Chad firefox users unaffected

[–] FireTower@lemmy.world 39 points 2 years ago (1 children)

[–] RizzRustbolt@lemmy.world -5 points 2 years ago (2 children)

Was cool...

[–] LinyosT@sopuli.xyz 15 points 2 years ago

Was and still is

[–] Honytawk@lemmy.zip 5 points 2 years ago

Now it is amazing and clean

[–] systemglitch@lemmy.world 15 points 2 years ago

Lol. Nice.

[–] aard@kyu.de 53 points 2 years ago (1 children)

Parts of that make me pretty angry. I prevented cross origin iframes for years, and refused to buy on pages which were embedding payment verification screens like that instead of just going to that page - and back then one of my banks even was sensible enough to fail verifications if loaded in an iframe.

But nowadays pretty much none of the authentication bits work if you don't allow those. It was always obvious it is a bad idea, and if it were not for those idiot designers we could just have removed support for cross origin iframes from browsers years ago. Nobody needs that, they just shouldn't be supported at all.

[–] Kbin_space_program@kbin.social 19 points 2 years ago

Here's one that won't enrage you.

Salesforce Marketing Cloud doesn't have a way for an external site to push a Post to a landing page / custom page without allowing all external sites.

You can't whitelist a specific site.

[–] mathematicalMagpie@lemm.ee 29 points 2 years ago (1 children)

They're going to steal your NFTs!

[–] hedgehog@ttrpg.network 8 points 2 years ago

All my apes, gone!

[–] TheGrandNagus@lemmy.world 26 points 2 years ago

You wouldn't download a pixel

[–] pensa@kbin.social 24 points 2 years ago (1 children)

I wonder how long until facebook adds it to their surveillance stack.

[–] dojan@lemmy.world 11 points 2 years ago (2 children)

Bet some overworked and underappreciated engineer is working on it right as we speak.

[–] ours@lemmy.film 4 points 2 years ago

While a bunch of NSA spies groan as (probably) a perfectly good vulnerability they paid top dollar for, dies.

[–] pensa@kbin.social 4 points 2 years ago (2 children)

If that engineer is coding that they should not be appreciated. They are part of the problem. I don't care about the pay or the status of being a facebook engineer. I really don't respect any engineer that has worked for any of the FAANG companies. Those fuckers sold out their morals the second they typed the first character of the first line of code while employed there.

[–] dojan@lemmy.world 5 points 2 years ago (1 children)

Seems like an unpopular opinion. I rather get your sentiment, but I don't think it's that black and white.

I've a friend who through Amazon (AWS) managed to leave his rather shitty country with an oppressive regime, for a much better place. I personally would never want to work at the ACRONYMCLUBS, but they do have a lot of money to swing around. If you're from some shithole, I totally get doing some less than moral (yet still perfectly legal) work just to get yours on the dry.

I'm glad I've never been forced to make such a choice but still, I get why people do it.

[–] pensa@kbin.social 2 points 2 years ago

In that situation I would view the person as self serving. Doing something to improve one's own situation at the expense of others is not conducive to a good society. I care more about the group than one friend in a tough situation. I liken it to the trolly problem.

[–] hedgehog@ttrpg.network 3 points 2 years ago (1 children)

Writing a single line of code for Meta, Apple, Amazon, Netflix, or Google means you don’t have any morals? That’s a pretty extreme stance. Are you at least consistent about it? Let’s see.

By your logic, if a person has ever purchased anything from, viewed an ad served by, or used a service or product created by any of those companies, they’re part of the problem and unworthy of your respect. After all, their actions have increased their value even more directly than a developer’s actions did - and unlike the developer, they didn’t get paid for it.

Do you apply that logic to every other for-profit corporations, just these, or some subset of them? Are nonprofits safe? Is it just developers that you have a problem with? What about product managers, scrum masters, engineering managers, HR? What about Apple storefront employees, Amazon warehouse employees, Amazon delivery drivers, Customer Service for Netflix, or content moderators for Meta?

[–] pensa@kbin.social 0 points 2 years ago

Most of what you typed is reductio ad absurdum and I will not entertain it.

To the part that is not I will say that yes I do apply the same standard to any business or employees that uses their size to to enshittify. It's called Right Livelihood and if more people lived by it we would not have the current problems with mega corps.

[–] ArbiterXero@lemmy.world 16 points 2 years ago

Thanks webgl

[–] redcalcium@lemmy.institute 13 points 2 years ago (1 children)

A big chunk of new websites deployed today have x-frame-options set to sameorigin because modern web framework these days typically have sensible default configuration. Now, if only WordPress also have this header in their default installation, most newly deployed websites will be covered, but alas...

[–] jsnfwlr@lemmy.world 1 points 2 years ago* (last edited 2 years ago)

x-frame-options is a HTTP header (an obsolete one, too - use Content-Security-Policy instead) - a frontend framework isn't able to set that. Back end frameworks can, and probably should - or at least give you the option to with a default enabled value.

While WordPress could be configured to set it, it probably shouldn't do it in the PHP - the installation guides should be telling you how to do it in Apache HTTPD or Nginx, with a fallback to doing it in PHP if changing the server config isn't available.

[–] Gsus4@feddit.nl 10 points 2 years ago* (last edited 2 years ago) (1 children)

Alright, how much is the patch going to impact performance?

As noted earlier, GPU.zip works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:

allow cross-origin iframes to be loaded with cookies

allow rendering SVG filters on iframes and delegate rendering tasks to the GPU

~~Does Firefox do that?~~

[–] NotAPenguin@kbin.social 19 points 2 years ago (1 children)

says in the article that firefox and safari aren't affected.

[–] BudgieMania@kbin.social 21 points 2 years ago* (last edited 2 years ago) (1 children)

common firefox w

and yet chrome will still be the default for most people

[–] dingleberry@discuss.tchncs.de 1 points 2 years ago

They aren't affected in the same way IE isn't affected.

[–] ilovesatan@lemmy.world 8 points 2 years ago (1 children)

Not my pixels! I worked hard for those!

[–] AdmiralShat@programming.dev 7 points 2 years ago

If websites have iframes, you just have to adjust when you attack

[–] AlmightySnoo@lemmy.world 3 points 2 years ago

They can have my pixels over my dead body (╯°□°)╯︵ ┻━┻