A new pixel-stealing exploit can read usernames and passwords across websites

What just happened? Website developers have a new reason to build defenses against cross-origin embedding, as a recently published GPU compression exploit can potentially utilize cross-site iframes to steal sensitive information. Users should carefully consider what sites they visit while logged into essential services.

Researchers recently discovered that graphics chips from all major vendors share a vulnerability that could let attackers steal usernames or passwords displayed on websites. Graphics card manufacturers and software companies have been aware of the issue for months but haven't decided whether to respond.

The exploit affects Chrome and Edge web browsers but not Firefox or Safari. Integrated and dedicated graphics hardware from AMD, Intel, Nvidia, Apple, Arm, and Qualcomm are susceptible.

Researchers devised a proof-of-concept attack, dubbed GPU.zip, whereby a malicious website contains embedded iframes linking to other sites a user may have logged into. If the latter page allows loading cross-origin iframes with cookies and renders SVG filters on iframes using the GPU, the malicious site can steal and decode the pixels it displays. If a user is logged into an insecure page displaying their username, password, or other critical information, it becomes visible to attackers.

Fortunately, most websites that handle sensitive data forbid cross-origin embedding and are thus unaffected. Wikipedia is a significant exception, so editors should take extra precautions when browsing other sites while logged in. To check a webpage's cross-origin security, open the developer console, reload the page, read the main document request under the network tab, and check for terms such as "X-Frame-Options" or "Content-Security-Policy."

The problem originates from GPU compression, which improves performance but can leak data. Security developers usually have little trouble with the issue because compression is traditionally visible to software and uses publicly available algorithms.

However, the new research demonstrates the existence of software-invisible compression schemes that are proprietary to each vendor. Since graphics chip companies withhold information on this compression, security groups have more difficulty working around it.

Google believes existing precautions from web developers are sufficient to combat the issue and hasn't indicated plans to address it system-wide. Intel and Qualcomm confirmed that they won't take action, saying third-party software is the problem. Nvidia, AMD, Apple, and Arm haven't publicly reacted to the news. No one has confirmed active exploitation in the wild, so the vulnerability is a low priority for now.