Researchers at Graz University of Technology in Austria have discovered security issues in a new browser technology. Modern websites use more of a computer’s power, including the graphics card. Web browsers have been using the graphics card to help run websites more smoothly.
This is done through programming interfaces like WebGL and the newer WebGPU. WebGPU is not fully developed yet, but some browsers like Chrome, Chromium, Microsoft Edge and Firefox Nightly already support it.
The researchers found that they could use WebGPU to spy on data, keystrokes, and encryption keys from another person's computer without the user needing to do anything special. They just had to visit a website with harmful JavaScript. This was tested using different types of graphics cards from NVIDIA and AMD. The attacks focused on using the computer's cache memory, which is a quick storage area used by both the CPU and the graphics card.
In one attack, the researchers filled the cache with their own data and monitored when it was cleared. This helped them figure out what keys were being pressed on the keyboard. They also managed to set up a hidden way to send messages by using empty and full cache segments as binary code. This was quick enough to send simple messages.
The third type of attack was on AES encryption, a method used to secure documents and online connections. The researchers filled the cache with their own AES encryption. By watching how the cache reacted, they could find where encryption was happening in the system.
These findings were part of a study that will be presented at the ACM Asia Conference on Computer and Communications Security in Singapore. The team has already informed browser manufacturers about these security issues, hoping they will make WebGPU safer as it is developed further.
Image: DIW-Aigen
Read next: YouTube Updates Features for Easier Access and Enhanced Engagement
This is done through programming interfaces like WebGL and the newer WebGPU. WebGPU is not fully developed yet, but some browsers like Chrome, Chromium, Microsoft Edge and Firefox Nightly already support it.
The researchers found that they could use WebGPU to spy on data, keystrokes, and encryption keys from another person's computer without the user needing to do anything special. They just had to visit a website with harmful JavaScript. This was tested using different types of graphics cards from NVIDIA and AMD. The attacks focused on using the computer's cache memory, which is a quick storage area used by both the CPU and the graphics card.
In one attack, the researchers filled the cache with their own data and monitored when it was cleared. This helped them figure out what keys were being pressed on the keyboard. They also managed to set up a hidden way to send messages by using empty and full cache segments as binary code. This was quick enough to send simple messages.
The third type of attack was on AES encryption, a method used to secure documents and online connections. The researchers filled the cache with their own AES encryption. By watching how the cache reacted, they could find where encryption was happening in the system.
These findings were part of a study that will be presented at the ACM Asia Conference on Computer and Communications Security in Singapore. The team has already informed browser manufacturers about these security issues, hoping they will make WebGPU safer as it is developed further.
Image: DIW-Aigen
Read next: YouTube Updates Features for Easier Access and Enhanced Engagement