A group of researchers from American, Australian and Israeli universities reported that described a new attack technique that allows to exploit vulnerabilities Specter class on Chromium-powered browsers.
Another application of the method is an attack on browser plugins, which allows, when an attacker-controlled plug-in is installed, to extract data from other plug-ins.
Spook.js is applicable to any browser based on the Chromium engine, including Google Chrome, Microsoft Edge, and Brave. The researchers also believe that the method can be adapted to work with Firefox, but since the Firefox engine is very different from Chrome, the work of creating such an exploit is left to the future.
Since the type of malicious object does not correspond to the type of array being processed, under normal conditions such actions are blocked in Chrome by the deoptimization mechanism of the code used to access the arrays. To solve this problem, the Type Confusion attack code is placed in an "if" conditional block, which does not fire under normal conditions, but runs in speculative mode, if the processor incorrectly predicts more branches.
As a result, the processor speculatively accesses the generated 64-bit pointer and reverts the state after determining the failed prediction, but the execution traces are set to the shared cache and can be restored using methods to determine the contents of the cache through third-party channels, analyzing the change in access time to cached and non-cached data.
Finally the researchers mention that managed to prepare working exploits for systems based on Intel and Apple M1 processors, which are given the opportunity to organize the memory read at a speed of 500 bytes per second and an accuracy of 96%. The method is supposed to be applicable to AMD processors, but it was not possible to prepare a fully functional exploit.