American researchers have discovered an unusual way for hackers to steal data. A so-called GPU.zip attack allows sensitive images to be captured from within the Chrome browser. The cause: compressing data to make graphics chips do their work faster.
Integrated chips from AMD and Intel are particularly susceptible to the attack, which is explained in detail in a scientific paper. Products from Apple, Nvidia, Qualcomm and Google also allowed exploitation in the researchers’ tests. All parties were warned in March about the security threat. Specifically, countless smartphones, desktops and laptops contain the vulnerability, which is still unpatched.
The investigation covered only iGPUs, or graphics chips located within a CPU/SoC. Smartphones use these, in addition to many laptops and desktops.
Normally, sensitive data is not compressed in a way that is visible to software, so that this data cannot be leaked by reverse-engineering the compression method. However, GPUs still appear to perform this compression to increase performance. Each manufacturer performs this in a different way that in many cases is not visible to developers.
Stealing pixel data
The researchers managed to develop a way to extract pixel data from the Chrome browser and then read it back. This worked only on pages within an iFrame container, an HTML element for embedding external websites on another page. Only on Chromium-based browsers (Chrome, Edge, among others) is this exploitable via GPUs.
The so-called side-channel accuracy, or the accuracy of the end result relative to the actual image, was often well above 90 percent. In short, with a GPU.zip attack, you could potentially recover a snapshot of a login screen almost intact. This took 30 minutes on an AMD Ryzen-based system and 215 minutes on Intel chips.
However, the research team does state that the method of attack is only a proof-of-concept and does not simply take place “in the wild.” Login windows and other pages that house sensitive data cannot usually be embedded on another page. According to several GPU makers, the vulnerability was caused by software and therefore wasn’t their responsibility to fix. As a user, the method of attack is so complex that it is unlikely that one needs to be fearful of an imminent attack utilizing the methodology in question.