Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New GPU Side-Channel Attack Allows Malicious Websites to Steal Data

GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip.

GPU Side Channel attack

Nearly all modern graphics processing units (GPUs) are vulnerable to a new type of side-channel attack that could be leveraged to obtain sensitive information, according to a team of researchers from various universities in the United States.

The new attack method, named GPU.zip, was discovered and detailed by representatives of the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign.

The GPU.zip attack leverages hardware-based graphical data compression, an optimization in modern GPUs that is designed for improving performance.

“GPU.zip exploits software-transparent uses of compression. This is in contrast to prior compression side channels, which leak because of software-visible uses of compression and can be mitigated by disabling compression in software,” the researchers explained.

Unlike many other recently disclosed side-channel attacks, which require some sort of access to the targeted device, GPU.zip can be exploited by luring the targeted user to a malicious website. Through this attack, the attacker’s site can steal data from other websites visited at the same time by the victim.  

Specifically, the method can be used by the malicious website to steal individual pixels from a different site that is open at the same time. This enables the theft of information that is visible on the screen, such as usernames, which can be used to deanonymize a user.

While websites that hold sensitive information are typically configured to prevent this type of leakage, there are some popular sites that are still vulnerable. 

The researchers demonstrated the attack on Wikipedia, stealing the targeted individual’s username, which is displayed in the top corner. However, it’s worth noting that it takes a significant amount of time for the malicious site to obtain the information via a GPU.zip attack. 

Advertisement. Scroll to continue reading.

In two experiments conducted by the researchers it took 30 minutes and 215 minutes to obtain the Wikipedia username.

Nevertheless, developers should ensure that their websites are not vulnerable, by configuring them to deny being embedded by cross-origin sites.

Information on the findings and proof-of-concept (PoC) code was provided to AMD, Apple, Arm, Intel, Nvidia, and Qualcomm in March 2023, but none of them has committed to releasing patches as of September 2023. 

The attack has been demonstrated to work on the Chrome web browser. Other widely used browsers, such as Safari and Firefox, are not impacted. Google was also notified in March 2023 about the potential risk, but the internet giant is still deciding whether and how to fix the issue, the researchers said.

Update: After publication of this article, Intel provided SecurityWeek the following statement:

“While Intel hasn’t had access to the researcher’s full paper, we assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third party software.”

Related: Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack

Related: New ‘Inception’ Side-Channel Attack Targets AMD Processors

Related: New MIT Framework Evaluates Side-Channel Attack Mitigations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.