• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • New Spook.Js attack allows to bypass Google Chrome Site Isolation protections

New Spook.Js attack allows to bypass Google Chrome Site Isolation protections

Pierluigi Paganini September 13, 2021

Spook.js is a new side-channel attack on modern processors that can allow bypassing Site Isolation protections implemented in Google Chrome.

Boffins devised a transient side-channel attack on modern processors, “Spook.js,” that can be abused by threat actors to bypass Site Isolation protections implemented in Google Chrome and Chromium browsers.

The technique allows in some cases to steal sensitive information via malicious JavaScript code.

The attack was discovered by researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University

“We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages.” reads the research paper published by the experts.

“An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled, the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension”

In January 2018, a team of expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to break the isolation between different applications and steal sensitive data processed by the CPU.

Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.

Google implemented the Site Isolation to mitigate Spectre-like attacks, anyway it is important to understand that the feature can only attempt to limit information leakage by separating the contents of different websites into different processes.

The feature was enabled in Chrome 67 and above allowing to load each website in its own process.

The researcher discovered some cases where the site isolation fails in separating two websites opening the doors to Spectre attacks.

Spook.js attack works against Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors, it uses a type confusion attack that allows it to target the entire address space.

“For example, Chrome will separate example.com and example.net as their top-level-domains, .net and .com, are different. example.com and attacker.com are also separated into different processes due to a difference in their first sub-domains (example and attacker). Finally, store.example.com and corporate.example.com are allowed to share the same process since they both share the same eTLD+1, example.com. Origin Isolation.” continues the experts. “We note that Chrome could have opted for a stricter isolation, using the website’s entire origin. However, origin isolation might break a non-negligible amount of websites, as 13.4% of page loads modify their origin via document.domain.”

The experts deployed Spook.js on a Tumblr blog, targeting a password that was autofilled into Tumblr’s login page by Chrome’s built-in credential manager. They published a video PoC of the attack that shows that our blog can be rendered by the same Chrome process as the login page allowing the Spook.js to recover the password.

In another attack scenario, the researchers packaged Spook.js as a Chrome extension and under certain conditions, they demonstrated that multiple extensions may be consolidated and executed from the same process. In the attack proposed by the researchers, they were able to read the memory of the LastPass credential manager extension, and recover the master password of the target’s vault.

The researchers shared their findings with Google, that in July 2021, applied some changes to Site Isolation to ensure that extensions can no longer share processes with each other, it also applied them to sites where users log in via third-party providers. The new Site Isolation feature, called Strict Extension Isolation, is enabled as of Chrome versions 92 and up.

“The fundamental weakness that Spook.js exploits is the differences in the security models of strict site isolation and the rest of the web ecosystem at large. On the one hand, strict site isolation considers any two resources served from the same eTLD+1 to always be in the same security domain. On the other hand, the rest of the web enjoys a much finer-grained definition of the security domain, often known as the same-origin policy. The same-origin policy only considers two resources are to be in the same security domain if the entire domain name is identical” concludes the researchers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Spook.Js)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Chrome Google Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Site Isolation Spectre attack

you might also like

Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more
Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT