YouTube player

Your computer’s graphic card could be exposing sensitive data to malicious websites.

Researchers have published a paper demonstrating how a malicious website can exploit a vulnerability in the GPU (Graphic Processing Unit) to perform a cross-origin attack and get access to sensitive visual data displayed by other websites. The vulnerability arises from the way modern GPUs perform data compression for performance improvements. This optimisation creates a side channel which can be exploited by an attacker to reveal information about the visual data. The published proof of concept only works in Chrome and Edge browsers and has an additional requirement where the page being linked to by the malicious website must not be configured to deny being embedded by cross-origin websites. The attack works on all six major GPU suppliers, which are Apple, Intel, AMD, Qualcomm, Arm and Nvidia and also works across a range of devices, including both computers and mobile devices. The threat from this vulnerability is currently considered to be low due to the multiple requirements needed in order for the attack to be successful. The researchers will be presenting their research paper at the 45th IEEE Symposium on Security and Privacy.

This segment was created for the It’s 5:05 podcast