News PSA: GPUs from Nvidia, AMD, Intel, and Other Vendors Vulnerable to Pixel-Stealing GPU-zip Attack

Toggle sidebar Toggle sidebar
Status
Not open for further replies.
As long as said flaws require physical access to the machines, most home users should be fine. Just don't allow people you don't trust to access your system. (I know this particular flaw doesn't require physical access) but just be careful what websites you visit and what you download.
 
jaydenmiller1 said:
As long as said flaws require physical access to the machines, most home users should be fine. Just don't allow people you don't trust to access your system. (I know this particular flaw doesn't require physical access) but just be careful what websites you visit and what you download.
Click to expand...

This advice is so wrong as to actually be dangerous!

Ads served in <iframe> elements would normally not have access to content in the containing site, but this vulnerability bypasses that restriction. For any site that displays the username (typically in the top right corner) and also serves ads, *any user* is at risk. Unfortunately, most email provider websites do both, and since email forms the basis for security of sites that don't serve ads, can be used to help gain access to those otherwise-secure sites. Hell, even non-browser applications that use Electron or a webview-like control to display ads, could read screen data.

The only mitigating factor is that passwords are not usually displayed on screen, except as dots, and this vulnerability takes quite a while to read screen data.
 
  • Like
Reactions: KyaraM, NinoPino, Brian28 and 1 other person
andrep74 said:
This advice is so wrong as to actually be dangerous!

Ads served in <iframe> elements would normally not have access to content in the containing site, but this vulnerability bypasses that restriction. For any site that displays the username (typically in the top right corner) and also serves ads, *any user* is at risk. Unfortunately, most email provider websites do both, and since email forms the basis for security of sites that don't serve ads, can be used to help gain access to those otherwise-secure sites. Hell, even non-browser applications that use Electron or a webview-like control to display ads, could read screen data.

The only mitigating factor is that passwords are not usually displayed on screen, except as dots, and this vulnerability takes quite a while to read screen data.
Click to expand...
I wasn't referring to iframe vulnerabilities, I was referring to the fact that as long as ANY vulnerabilities require physical access to the host machine, it is not that big of a deal as long as you don't leave your device unattended for long periods of time.
 
Last edited:
oofdragon said:
If anyone here using windows is concerned about GPU or CPU or any other hardware exploitable flaw....... what can I say
Click to expand...
This isn't a Windows issue, it is a cross-platform browser iframe issue: they say it even works on Apple's stuff.

The solution: don't open your bank, tax and other sensitive accounts from third-party pages which may insert an iframe. Type the site's address directly.
 
  • Like
Reactions: Sluggotg and Order 66
Brian28 said:
>"Edge and Chrome are currently vulnerable to it, but Safari and Firefox are not (this lets us know that the issue isn't Chromium itself"

I don't follow: Safari and Firefox are not Chromium, Edge and Chrome are. How does the conclusion "it isn't Chromium" follow from this data?
Click to expand...
Because of the non-transverse property. Because A ≠ B and B = C therefore A = Chromium. duh.
 
jaydenmiller1 said:
I wasn't referring to iframe vulnerabilities, I was referring to the fact that as long as ANY vulnerabilities require physical access to the host machine, it is not that big of a deal as long as you don't you your device unattended for long periods of time.
Click to expand...
From what is written in the article this vulnerability need only a website, no physical access. And thera are a lot of other vulnerabilities that do not need physical access (networking in general).
 
  • Like
Reactions: JTWrenn and Order 66
Can someone explain me what is the point of password pixel reconstruction when 100% of the password requests are obfuscated ? In case of phishing, pixel stealing is the last problem. Maybe I am missing something ?
 
NinoPino said:
Can someone explain me what is the point of password pixel reconstruction when 100% of the password requests are obfuscated ? In case of phishing, pixel stealing is the last problem. Maybe I am missing something ?
Click to expand...
On my mobile devices, the last typed letter briefly flashes on screen before getting replaced by the filler character just so you can confirm that you hit the correct on-screen keyboard key. On the desktop, some people click the privacy icon to reveal passwords to double-check whatever it is they entered on the keyboard. Once you are logged into something like your bank account, you may not want a pixel-peeping iframe to gather whatever banking information comes on screen either.
 
  • Like
Reactions: Brian28, Rob1C and King_V
Seems like a ridiculous vulnerability that apparently can be fixed in software alone, but that GPU vendors now need to start worrying about as well....mainly from a pr standpoint. It's hard to point to the GPU as an issue when the software is using the GPU in an unsafe manner. I say this only because all browsers are not equally unsecure here so seems like this is much more of a software issue than a hardware one.

That being said, when I see things like this it just screams 2FA more than anything. End users need to both pressure big companies to do what's right or you will go elsewhere AND to protect themselves at all times because these companies suck at it.
 
InvalidError said:
On my mobile devices, the last typed letter briefly flashes on screen before getting replaced by the filler character just so you can confirm that you hit the correct on-screen keyboard key. On the desktop, some people click the privacy icon to reveal passwords to double-check whatever it is they entered on the keyboard. Once you are logged into something like your bank account, you may not want a pixel-peeping iframe to gather whatever banking information comes on screen either.
Click to expand...
In the proof of concept from the paper, it took tens to hundreds of minutes to determine a username with a high degree of accuracy. I don't know if the attack described would be feasible if the characters are only visit for a second.
 
TJ Hooker said:
In the proof of concept from the paper, it took tens to hundreds of minutes to determine a username with a high degree of accuracy. I don't know if the attack described would be feasible if the characters are only visit for a second.
Click to expand...
Well, the infosec community is known to go batshit crazy on anything that has a a greater than 0.0001% chance of success under real-world conditions. If you leave a potential information leak unpatched long enough after it becomes known, someone may eventually be successful at optimizing and exploiting it.
 
Sluggotg said:
I haven't used Firefox for many years. Are there any issues with it nowdays? I loved it back in the day..
Click to expand...
Still using it after all these years. They really try their best to **** it up now and then – basic things like multi-row tabs require some serious work to install nowadays compared to the simple one-click installation of yesteryears, but it's still the best browser for people who routinely wrangle up to hundreds of open tabs and install dozens of security and productivity add-ons. No harm in trying it again.
 
oofdragon said:
If anyone here using windows is concerned about GPU or CPU or any other hardware exploitable flaw....... what can I say
Click to expand...

You could start with "This is a side channel issue and as long as we stay in the main channel and follow our navigational beacon we should be okay until the mothership returns"
I need some new tin foil.
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom