The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack affecting popular browsers and graphics cards that leverages specially crafted JavaScript code in a website to infer sensitive information such as passwords.

The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.

“Since GPU computing can also offer advantages for computations within websites, browser vendors decided to expose the GPU to JavaScript through APIs like WebGL and the upcoming WebGPU standard,” the researchers said.

“Despite the inherent restrictions of the JavaScript and WebGPU environment, we construct new attack primitives enabling cache side-channel attacks with an effectiveness comparable to traditional CPU-based attacks.”

A threat actor could weaponize it by employing a drive-by attack, allowing for the extraction of AES keys or mining cryptocurrencies as users browse the internet. It impacts all operating systems and browsers implementing the WebGPU standard, as well as a broad range of GPU devices.

As countermeasures, the researchers propose treating access to the host system’s graphics card via the browser as a sensitive resource, requiring websites to seek the user’s permission (like in the case of a camera or microphone) before use.

Is this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.