CSS shaders contribute to data theft

Software developers from Google, Apple, Adobe, etc. struggling with the security risks that have risen due to the emerging graphics technology, which in its present form can jeopardize millions of users.

“The technology, known as CSS shaders , is designed to display a variety of distortion effects such as vibration, ripples and wrinkles. It works by providing a programming interface that developers can use to apply a powerful graphics card end-users. But it can also be used by malicious operators of sites to steal the history of views on the Internet, data from Facebook and other sensitive information from unsuspecting users, “- recently warned Adam Barth, a security researcher Google Chrome.

“Because the site is allowed to display the content that they are not allowed to read, an attacker can use CSS shaders to read sensitive information through the channel synchronization” – Bart wrote in his blog on December 3. “For example, a site can use CSS shaders to extract your personal information to Facebook through the inserted button” Like “. If more subtly, the site can learn the history of your display bypassing the protection of tracing the history of David Beyrona.”

In the discussion list for developers of WebKit browser engine Bart with developers from Google, Adobe and Opera discuss the risks presented by CSS technology shaders, which was submitted to W3C as a standard for the industry in October. Some participants argued that the attack, which meant Barth, impractical, since it needs to be adjusted to a specific browser, and extract only the image on the monitor end-user will take a long time.

“Even if you manage to configure the CSS attack to a specific browser rendering behavior that you know will take a long time to determine the value of one pixel, but even after that, I think the accuracy and repeatability are very low,” – wrote in a response from the developer Apple Chris Marrin. “Of course I could be wrong, but I have not seen convincing exploit rendering CSS”.

Barth admitted that he had no reliable prototype that demonstrates the attack, but he expressed concern that this function could expose users of the classical browse-and-get-hacked attack, in which private information stolen just by visiting the wrong site.

“For example, an attacker can apply CSS to the shader iframe, which contains the content from another site” – Bart wrote in e-mail. “If an attacker will produce such a shader, the execution time will depend on the content of iframe, it can potentially steal sensitive data from the site.”

He added that the exploit can compromise the location of directories with sensitive files, when users download them to the site.

The scenario outlined by Barthes, is strongly reminiscent of a vulnerability discovered in a different graphics engine, which is also gaining momentum as a standard for the industry. In June, security researchers warned that the technology of 3D-acceleration API, known as WebGL, also allows the site to extract images on the monitors of the visitors. Presented a prototype of an exploit stolen images in Firefox by “spraying” of memory the graphics card in your computer. The researchers said that other browsers may also vulnerable. Bart assured that since the vulnerability has been corrected.

Part of the CSS specification shaders available in nightly builds of browser engine WebKit, which forms the Google Chrome and Safari. Adobe has an internal build WebKit, which implements the CSS shaders more fully. Bart said he was not aware of the issue of technology for the working versions of any browsers. This means that the coalition of developers still have time to correct the defect until it is damaged.

“There are a number of remedies that we discuss in the W3C CSS-SVG Effects Task Force”, – wrote Bart. “In my opinion, the most promising approach – is to find a subset of GLSL shader language in which to execute the shader will always leave the same amount of time, regardless of the input. If we find a subset of, the site will be able to use these effects without the risk of leakage sensitive information via the clock channel. “

Tagged , , , , , , , , , , , , , , , , , ,