Researchers at the University of Texas at Austin have discovered a vulnerability that affects all graphics cards. This vulnerability side channel allows a malicious website deliver Private information without user consent. According to research, this affects all graphics cards of the market, whether they are Intel, AMD, NVIDIA, Apple, ARM or Qualcomm.
There are many security protocols to prevent the theft of sensitive user information. One of these mechanisms is the same origin policy, which requires complete isolation between the domain and the content.
This mechanism, among others, tries to prevent the theft of passwords to access different services. Among the mechanisms used is masking passwords with dots when we enter them. Although, there are times when previews are allowed to ensure that we do not make mistakes.
They can get your password “thanks” to the graphics card
The first thing you should know is that, to blow this vulnerabilityyou must access a malicious website. Within these websites what is done is a reconstruction of the representation of pixels generated by the GPU. In the end, we are writing the password and it is represented by this component and that is how the theft is achieved.
We have to highlight that researchers have said that the GPU-zip vulnerability (name given by researchers) is serious, but the threat is low. They have highlighted that graphics card manufacturers must release software patches and make hardware adjustments.
This vulnerability exploitsto data compression on the GPU. This mechanism allows reducing the amount of data stored and its transit. Since compression depends on the data, these are a mathematical representation that “doubles” the original size.
Despite this mechanism, a data relationship exists and it can be get the initial parameter again. Even with compression, initial information can be obtained.
We have compression of data from the GPU that is sent to the DRAM or the different system caches. In the end, it is the original data modified so that it takes up less space. Despite this “manipulation” the bits of the original information can be recovered.
Passwords, usernames and other valuable information can be reconstructed pixel by pixel through rendering.
It is not easy to exploit
GPU-zip requires that a malicious website add a iFrame container, an HTML element that allows you to embed content from external websites. The linked page must be set to iFrame so that this embed is not denied. Furthermore, it is required that the GPU be responsible for render the iFrame element, something that happens in the 99% of cases.
On the plus side, there are different implementations of the iFrame functions depending on the browser. These differences in the implementation of the operation mean that it cannot be exploited in certain browsers. Edge and Chromeare vulnerable to GPU-zip; but Safari and Firefox, they are not. According to the researchers, the vulnerability would not be in Chromium, the source code of the Edge and Chrome browsers.
According to the researchers, the problem is that GPU manufacturers include data compression algorithms based on this component to improve rendering. The problem is that these algorithms are proprietary and there is no documentation available, being a problem.
The researchers highlight that they notified GPU manufacturers and also Google in March 2023. Within the document it is highlighted that:
GPU vendors largely refused to act; one said the side channel was outside their threat model, another that it was the software’s responsibility to mitigate. As of August 2023, Apple and Google were still deciding whether and how to mitigate
