• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Security
  • Spy in the sandbox attack to spy on your online activity

Spy in the sandbox attack to spy on your online activity

Pierluigi Paganini April 22, 2015

Four security researchers at the Columbia University have developed a new technique dubbed Spy in the sandbox attack to spy on victims’ online activity.

Four security researchers at the Columbia University (Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan, and Angelos Keromytis) have developed a new technique to hack computer using a Javascript that allow them to spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC’s processor caches.

According to the researchers, the technique is effective against about 80 percent of desktop machines, they explained that it could be used to hack PC running a recent model Intel CPU, such as a Core i7, and any browser supporting HTML5.

The exploit, dubbed “the spy in the sandbox”, appears very insidious, the experts run a side-channel attack by using a JavaScript served from a malicious web ad network. The “the spy in the sandbox” exploit analyzes the time it takes to access data stored in the last-level cache, the L3 cache shared by all cores in a modern desktop machine and matches it to user activity.

Unlike other exploits, in the “the spy in the sandbox” attack scenarios the attacker does not need to install any malicious code on the victim’s PC to carry out “the spy in the sandbox” attack, as explained in the paper The Spy in the Sandbox – Practical Cache Attacks in JavaScript the victim can be hacked simply by visiting a page with malicious JavaScript.

“We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine — to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. “

The researchers urge IT giants Apple, Google, Microsoft and Mozilla upgrade their browsers to mitigate the spy in the Sandbox attack, there is the concrete risks that it could be carried out by criminal crews in the wild, because it doesn’t require specific effort:

“This is a very low-cost attack which would probably be used by small-time bad guys – the same creeps who bombard you with pop-up ads will probably add this to their popups so they can track you while they distract you,” said Oren.

The research conducted by the experts is the continuation of another interesting study related the last-level cache attacks that could be carried out to recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim’s web browser.

“Our attack, which is an extension of the last-level cache attacks of (Adelaide University’s) Yuva Yarom, allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser,” state the researchers.

Once during execution, the JavaScript took a snapshot of the cache and monitor any modification caused by the user operations the user (i.e. user presses a key) and then uses the browser’s high-resolution timer to record the time it takes to iterate through a block of memory.

The cache is impacted for every access that is faster than others, data retrieved with this technique allow the attacker to map the pattern of memory accesses to keystrokes and mouse movements.

The researchers explained that the exploit cannot steal any passwords or data, but it can be used to spy on victim’s activity and an attacker can use the browser history for financial theft or other malicious purposes.

spy in the sandbox 2

By testing the the spy in the sandbox attack on Intel Core i7 Mac running OS X 10.10.2 and Firefox 35.0.1, the researchers demonstrated that the malicious Javascript was able to map half the L3 cache in one minute, and about a quarter in roughly 30 seconds.

Dr Oren and his team will not release the exploit code until the browsers are patched, meantime close unused tabs when you are using on something important.

“In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says. 

Pierluigi Paganini

(Security Affairs –  spy in the sandbox, Javascript)


facebook linkedin twitter

browser cache Hacking Javascript side-channel attack spy in the sandbox

you might also like

Pierluigi Paganini October 08, 2025
Qilin ransomware claimed responsibility for the attack on the beer giant Asahi
Read more
Pierluigi Paganini October 08, 2025
DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

    Cyber Crime / October 08, 2025

    DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

    Cyber Crime / October 08, 2025

    DraftKings thwarts credential stuffing attack, but urges password reset and MFA

    Security / October 08, 2025

    Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

    Security / October 08, 2025

    U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

    Hacking / October 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT