Back from Beyond: New Spook.js Spectre Attack Plagues Google Chrome

First revealing themselves in 2018, Spectre-style attacks have been quietly exploiting security flaws in Chromium-based browsers (Google Chrome, Microsoft Edge, and Brave) to gain access to private and confidential information. Much like its counterpart, Meltdown, the Spectre vulnerability utilises a flaw in CPU optimization to breach security mechanisms and access a devices memory space - allowing hackers to obtain information all over the internet.

Discovered by researchers from the Universities of Michigan, Tel Aviv, and Adelaide, along with Georgia Institute of Technology, this new form of Spectre attack known as Spook.js uses the Spectre vulnerability to bypass site isolation protections, and in some cases steal confidential information via a malicious JavaScript code. The research team concluded that “an attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are auto-filled, the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension”.

Although protections have already been implemented after the initial discovery of the Spectre vulnerability in 2018, the researchers stated that the existence of Spook.js “shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks”.

The researchers have since shared their findings with Google and the Chrome Security Team who extended site isolation so that "extensions can no longer share processes with each other", this update has been implemented in Chrome versions 92 onwards. However despite this upgrade, the invisible nature of Spectre attacks perfectly encapsulates the ever-changing landscape of internet security – it likely won’t be long before another exploit is located.