Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Endpoint Security

Google Releases PoC Exploit for Browser-Based Spectre Attack

Google last week announced the release of proof-of-concept (PoC) code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.

Google last week announced the release of proof-of-concept (PoC) code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.

Initially detailed in early 2018 alongside Meltdown, the side-channel attack could allow a malicious application to access data being processed on the device. The vulnerability could expose passwords, documents, emails, data from instant messaging apps, and more.

Since the public disclosure of Meltdown and Spectre, both hardware makers and software developers alike have been working on devising protections against similar flaws, and browser makers too have been implementing application-level mitigations.

In 2019, the Google team responsible for Chrome’s V8 JavaScript engine said that the attack can’t be mitigated at the software level, arguing that security boundaries in browsers should be aligned with low-level primitives, such as process-based isolation.

To keep their users safe, browser makers have already implemented protections such as Site Isolation, Cross-Origin Read Blocking, and out-of-process iframes, with a variety of security features available for other application developers as well, including Cross-Origin Resource and Cross-Origin Opener Policies, and more.

The purpose of these mechanisms is to prevent sensitive data from being present in memory sections that an attacker could read. However, they do not prevent Spectre exploitation.

In order to assess the effectiveness of such mitigations, Google’s researchers have released JavaScript PoC code functional across multiple operating systems, architectures, and hardware variants, and which “confirms the practicality of Spectre exploits against JavaScript engines.”

Advertisement. Scroll to continue reading.

While Chrome has been used to demonstrate the attack, the exploited issues are not specific to Google’s browser, but affect other modern browsers as well. An interactive demonstration of the attack can be accessed on this page, while the code and technical details were published on Github.

“The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes,” Google explains.

In addition to releasing the PoC, Google is making recommendations (Post-Spectre Web Development and Mitigating Side-Channel Attacks) on how web developers can improve site isolation to deny access to cross-origin resources, thus effectively mitigating Spectre-style hardware attacks, among others.

Such mitigations include Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers, Cross-Origin Opener Policy (COOP), and Cross-Origin Embedder Policy (COEP), along with standard protections, such as the X-Frame-Options and X-Content-Type-Options headers, along with SameSite cookies.

“It’s important to note that while […] the mechanisms […] are important and powerful security primitives, they don’t guarantee complete protection against Spectre; they require a considered deployment approach which takes behaviors specific to the given application into account,” Google notes.

Related: Microsoft Brings Hardware-Based Isolation to Chrome, Firefox

Related: Should You Be Concerned About the Recently Leaked Spectre Exploits?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.