Posted on 03/20/2021 11:35:15 AM PDT by Swordmaker
Security researchers from Cornell University have found a web browser attack that affects both macOS and Windows computers. Unlike other browser-based attacks, this one does not use JavaScript.
The hack is the first JavaScript-free browser side-channel attack ever discovered. Rather than using the popular scripting language, the exploit was built entirely with CSS and HTML.
Though new, Apple’s M1 chipset is not protected from this attack and maybe more vulnerable to this exploit, claim the researchers in a recently published paper (via AppleInsider).
It is described as being “architecturally agnostic” attacking Samsung, AMD, and even Apple’s new silicon, says The 8-Bit blog.
In fact, Apple’s M1 chipset may even be more vulnerable to this attack.
“Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies.”
Cornell University Researchers
This exploit is particularly effective as it will work even when a user locks down their browser by blocking JavaScript. It also ignores privacy technologies like Tor or a VPN that are meant to keep your browsing information safe.The vulnerability potentially could spy on a user’s web activity and share that information without the user’s consent or knowledge.
Most users believe they are always safe after blocking JavaScript and using a VPN, however, this attack shows that even these measures are not foolproof and may provide a false sense of security in some instances.
If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.
Ping for your attention
Thanks to Freeper Mark17 for the heads up...
Kind of light on details. html5 is pretty functional these days and will do things only jacascript would do a few years ago.
Hmmm. Maybe something related to css image urls?
Thanks to Swordmaker for the ping!
I don’t want to dismiss or diminish the problems of malware in technology today. But, aren’t most - or at least many - of these kinds of exploit warnings largely theoretical in nature?
Thanks for the heads up. I wonder if a VPN eliminates vulnerability.
You are vulnerable to attacks when you view web pages. Viewing them through a VPN doesn't change anything. You are still connecting to remote hosts and downloading content.
Hmmm, which browser?
HTML and CSS are rendered onscreen by the browser. So, safari or brave or firefox or chrome are the one executing the code.
In before the “Buy a ?” squad....LoL
This article is bordering on useless. What’s the vulnerability? Is it remote code execution (RCE)? Data exfiltration? Privacy breach? They just say “oh, there’s this vulnerability. It doesn’t require Javascript.” Great! Thanks. What’s it do?
I am completely illiterate about any and all of this, just wanted to mention what’s been happening when I’m on facebook. Multiple pages open up, 15 to 20 sometimes, of anything I scroll past on facebook, ads, pictures someone posts, anything. It seemed to only be when I was on fb but about 20 minutes ago I opened a link someone posted on here, on another thread, and 2 additional pages of the same link opened up. Not sure if it indicates a hack or what and no idea how to stop it.
I have a Lenovo ThinkPad laptop, given to me by a friend, and Windows 10. I use Firefox for a browser and a couple of months ago switched to DuckDuckGo for a search engine, had google before that.
Thanks..and sorry for posting a possible unrelated issue.
The researchers say no, VPN is not a help. The article does not say why.
I still use Win7 for my general searches, which are benign, and freerepublic. Anything else I use Oracle Virtualbox.
.
Did a little digging on this - for the average person it’s not going to be a big deal.
This is once again some hacks getting their masters thesis by writing papers on stating the obvious.
What they’ve “proven” is that they can figure out things about the physical characteristics about your computer - like memory speed, CPU type, power consumption, etc via the scary term “side-channel attack”
https://www.wired.com/story/what-is-side-channel-attack/
This isn’t all that complex - regardless of VPN and browser security you STILL pull down web page info from the server. CSS still has some scripting features (for stuff like animation and scaled scrolling) so stick a little processing for animation in there that changes how things are loaded and voila, the server knows some things about the computer it sends data too.
At BEST - the most information they’re going to get from you is a hardware fingerprint - but that’s not going to mean anything because all MacBook 13” M1s are the same hardware!!!
In an spy situation it gets a little more serious because you can figure out a profile and maybe usage patterns on a group or business and focus any hacking efforts - but in the grand scheme of things it’s nothing to worry about.
article says vpn does not
Guys, a VPN only takes your internet traffic encrypts it between your pc and it’s exit server wherever in the world it is. It only protects you from local network vulnerabilities and attacks. It doesn’t prevent you from getting infected from a compromised web site.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.