GPUs from all major suppliers are vulnerable to new pixel-stealing attack

ndsvw, 8 months ago

Under-the-hood differences in the way Firefox and Safari work prevent the attack from succeeding when those browsers process an attack page.

Ah, so no one of us is at risk…

mojo, 8 months ago

Should clarify this only affects Chromium browsers

ryannathans, 8 months ago

Chad firefox users unaffected

FireTower, 8 months ago

https://lemmy.world/pictrs/image/625a0f6d-d8d2-4040-ab65-282e49152bc5.jpeg

RizzRustbolt, 8 months ago

Was cool…

Honytawk, 8 months ago

Now it is amazing and clean

LinyosT, 8 months ago

Was and still is

systemglitch, 8 months ago

Lol. Nice.

aard, 8 months ago

Parts of that make me pretty angry. I prevented cross origin iframes for years, and refused to buy on pages which were embedding payment verification screens like that instead of just going to that page - and back then one of my banks even was sensible enough to fail verifications if loaded in an iframe.

But nowadays pretty much none of the authentication bits work if you don’t allow those. It was always obvious it is a bad idea, and if it were not for those idiot designers we could just have removed support for cross origin iframes from browsers years ago. Nobody needs that, they just shouldn’t be supported at all.

Kbin_space_program, 8 months ago

Here's one that won't enrage you.

Salesforce Marketing Cloud doesn't have a way for an external site to push a Post to a landing page / custom page without allowing all external sites.

You can't whitelist a specific site.

TheGrandNagus, 8 months ago

You wouldn’t download a pixel

AdmiralShat, 8 months ago

If websites have iframes, you just have to adjust when you attack

redcalcium, 8 months ago

A big chunk of new websites deployed today have x-frame-options set to sameorigin because modern web framework these days typically have sensible default configuration. Now, if only WordPress also have this header in their default installation, most newly deployed websites will be covered, but alas…

jsnfwlr, 8 months ago

x-frame-options is a HTTP header (an obsolete one, too - use Content-Security-Policy instead) - a frontend framework isn’t able to set that. Back end frameworks can, and probably should - or at least give you the option to with a default enabled value.

While WordPress could be configured to set it, it probably shouldn’t do it in the PHP - the installation guides should be telling you how to do it in Apache HTTPD or Nginx, with a fallback to doing it in PHP if changing the server config isn’t available.

mathematicalMagpie, 8 months ago

They’re going to steal your NFTs!

hedgehog, 8 months ago

All my apes, gone!

circuitfarmer, 8 months ago

deleted_by_author

bobman, 8 months ago

Is there any way to hide these images?

They are getting pretty obnoxious.

ripcord, 8 months ago

On kbin, at least, they don't expand by default.

bobman, 8 months ago

That’s a start.

ArbiterXero, 8 months ago

Thanks webgl

AlmightySnoo, 8 months ago

They can have my pixels over my dead body (╯°□°)╯︵ ┻━┻

ilovesatan, 8 months ago

Not my pixels! I worked hard for those!

Gsus4, 8 months ago (edited 7 months ago)

Alright, how much is the patch going to impact performance?

As noted earlier, GPU.zip works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:

allow cross-origin iframes to be loaded with cookies

allow rendering SVG filters on iframes and delegate rendering tasks to the GPU

Does Firefox do that?

NotAPenguin, 8 months ago

says in the article that firefox and safari aren't affected.

BudgieMania, 8 months ago

common firefox w

and yet chrome will still be the default for most people

dingleberry, 8 months ago

They aren’t affected in the same way IE isn’t affected.

pensa, 8 months ago

I wonder how long until facebook adds it to their surveillance stack.

dojan, 8 months ago

Bet some overworked and underappreciated engineer is working on it right as we speak.

pensa, 8 months ago

If that engineer is coding that they should not be appreciated. They are part of the problem. I don't care about the pay or the status of being a facebook engineer. I really don't respect any engineer that has worked for any of the FAANG companies. Those fuckers sold out their morals the second they typed the first character of the first line of code while employed there.

hedgehog, 8 months ago

Writing a single line of code for Meta, Apple, Amazon, Netflix, or Google means you don’t have any morals? That’s a pretty extreme stance. Are you at least consistent about it? Let’s see.

By your logic, if a person has ever purchased anything from, viewed an ad served by, or used a service or product created by any of those companies, they’re part of the problem and unworthy of your respect. After all, their actions have increased their value even more directly than a developer’s actions did - and unlike the developer, they didn’t get paid for it.

Do you apply that logic to every other for-profit corporations, just these, or some subset of them? Are nonprofits safe? Is it just developers that you have a problem with? What about product managers, scrum masters, engineering managers, HR? What about Apple storefront employees, Amazon warehouse employees, Amazon delivery drivers, Customer Service for Netflix, or content moderators for Meta?

pensa, 7 months ago

Most of what you typed is reductio ad absurdum and I will not entertain it.

To the part that is not I will say that yes I do apply the same standard to any business or employees that uses their size to to enshittify. It's called Right Livelihood and if more people lived by it we would not have the current problems with mega corps.

dojan, 8 months ago

Seems like an unpopular opinion. I rather get your sentiment, but I don’t think it’s that black and white.

I’ve a friend who through Amazon (AWS) managed to leave his rather shitty country with an oppressive regime, for a much better place. I personally would never want to work at the ACRONYMCLUBS, but they do have a lot of money to swing around. If you’re from some shithole, I totally get doing some less than moral (yet still perfectly legal) work just to get yours on the dry.

I’m glad I’ve never been forced to make such a choice but still, I get why people do it.

pensa, 8 months ago

In that situation I would view the person as self serving. Doing something to improve one's own situation at the expense of others is not conducive to a good society. I care more about the group than one friend in a tough situation. I liken it to the trolly problem.

ours, 8 months ago

While a bunch of NSA spies groan as (probably) a perfectly good vulnerability they paid top dollar for, dies.

FigMcLargeHuge, 8 months ago

Those pixel stealing whores!

ripcord, 8 months ago

Time to take a look at your pixel orchard again

imaBEES, 8 months ago

Ya know, we haven’t taken a look at our pixel tree in a few seconds…

Rootiest, 8 months ago

Keep your dirty cross-origin paws off my pixels!

atzanteol, 8 months ago

Isn’t this a browser vulnerability rather than a GPU one?

tony, 8 months ago

It’s a timing vulnerability, based on how long it takes the GPU to render the page , I think, although it’s also browser specific.

But seems low risk… at a minimum of 30 minutes to grab a username, you’d have to be sat on the same page for a while and not notice your fans ramping up…

Also, passwords seems a stretch. No (sane) site displays passwords.

systemglitch, 8 months ago

I built my pc to be silent. Case and fans. I would never year the Rams ramping up. But I also use FF shrug

Alimentar, 8 months ago

What about the reveal password icon people use for complicated passwords?

geosoco, 8 months ago

Many sites have had to enable reveal passwords for people with complicated passwords not using password managers.

It's low risk, but their numbers are also coming from fairly dated hardware and is just proof of concept. It can almost certainly be speed up significantly.

Dadifer, 8 months ago

The article is saying that the gpus use a compression that is software independent and bypasses the restrictions on iFrame cross-website loading. Chrome and Edge are affected; Safari and Firefox are not.

Sylvartas, 8 months ago

Common Firefox W

RizzRustbolt, 8 months ago

Pale Moon actually already protected against this stuff. Because the team are all crazy paranoid.

EyesEyesBaby, 8 months ago

In other words, this only affects Chromium based browsers.

4am, 8 months ago

Incredible how even Ars will dance around Google when they fuck something up.

geosoco, 8 months ago

The problem is that so many browsers leverage hardware acceleration and offer access to the GPUs. So yes, the browsers could fix the issue, but the underlying cause is the way GPUs handle data that the attack is leveraging. Fixing it would likely involve not using hardware acceleration.

As these patterns are processed by the iGPU, their varying degrees of redundancy cause the lossless compression output to depend on the secret pixel. The data-dependent compression output directly translates to data-dependent DRAM traffic and data-dependent cache occupancy. Consequently, we show that, even under the most passive threat model—where an attacker can only observe coarse-grained redundancy information of a pattern using a coarse-grained timer in the browser and lacks the ability to adaptively select input—individual pixels can be leaked. Our proof-of-concept attack succeeds on a range of devices (including computers, phones) from a variety of hardware vendors with distinct GPU architectures (Intel, AMD, Apple, Nvidia). Surprisingly, our attack also succeeds on discrete GPUs, and we have preliminary results indicating the presence of software-transparent compression on those architectures as well.

It sounds distantly similar to some of the canvas issues where the acceleration creates different artifacts which makes it possible to identify GPUs and fingerprint the browsers.