• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • New Spook.Js attack allows to bypass Google Chrome Site Isolation protections

New Spook.Js attack allows to bypass Google Chrome Site Isolation protections

Pierluigi Paganini September 13, 2021

Spook.js is a new side-channel attack on modern processors that can allow bypassing Site Isolation protections implemented in Google Chrome.

Boffins devised a transient side-channel attack on modern processors, “Spook.js,” that can be abused by threat actors to bypass Site Isolation protections implemented in Google Chrome and Chromium browsers.

The technique allows in some cases to steal sensitive information via malicious JavaScript code.

The attack was discovered by researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University

“We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages.” reads the research paper published by the experts.

“An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled, the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension”

In January 2018, a team of expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to break the isolation between different applications and steal sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

Google implemented the Site Isolation to mitigate Spectre-like attacks, anyway it is important to understand that the feature can only attempt to limit information leakage by separating the contents of different websites into different processes.

The feature was enabled in Chrome 67 and above allowing to load each website in its own process.

The researcher discovered some cases where the site isolation fails in separating two websites opening the doors to Spectre attacks.

Spook.js attack works against Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors, it uses a type confusion attack that allows it to target the entire address space.

“For example, Chrome will separate example.com and example.net as their top-level-domains, .net and .com, are different. example.com and attacker.com are also separated into different processes due to a difference in their first sub-domains (example and attacker). Finally, store.example.com and corporate.example.com are allowed to share the same process since they both share the same eTLD+1, example.com. Origin Isolation.” continues the experts. “We note that Chrome could have opted for a stricter isolation, using the website’s entire origin. However, origin isolation might break a non-negligible amount of websites, as 13.4% of page loads modify their origin via document.domain.”

The experts deployed Spook.js on a Tumblr blog, targeting a password that was autofilled into Tumblr’s login page by Chrome’s built-in credential manager. They published a video PoC of the attack that shows that our blog can be rendered by the same Chrome process as the login page allowing the Spook.js to recover the password.

In another attack scenario, the researchers packaged Spook.js as a Chrome extension and under certain conditions, they demonstrated that multiple extensions may be consolidated and executed from the same process. In the attack proposed by the researchers, they were able to read the memory of the LastPass credential manager extension, and recover the master password of the target’s vault.

The researchers shared their findings with Google, that in July 2021, applied some changes to Site Isolation to ensure that extensions can no longer share processes with each other, it also applied them to sites where users log in via third-party providers. The new Site Isolation feature, called Strict Extension Isolation, is enabled as of Chrome versions 92 and up.

“The fundamental weakness that Spook.js exploits is the differences in the security models of strict site isolation and the rest of the web ecosystem at large. On the one hand, strict site isolation considers any two resources served from the same eTLD+1 to always be in the same security domain. On the other hand, the rest of the web enjoys a much finer-grained definition of the security domain, often known as the same-origin policy. The same-origin policy only considers two resources are to be in the same security domain if the entire domain name is identical” concludes the researchers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Spook.Js)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Chrome Google Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Site Isolation Spectre attack

you might also like

Pierluigi Paganini July 08, 2025
Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant
Read more
Pierluigi Paganini July 08, 2025
U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

    Intelligence / July 08, 2025

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Malware / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT