Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC's processor caches.
The exploit is apparently effective against machines running a late-model Intel CPU, such as a Core i7, and a HTML5-happy browser – so perhaps about 80 percent of desktop machines.
The research has prompted Google, Microsoft, Mozilla, and Apple to upgrade their browsers to smother the attack vector. Nothing has yet been released.
Dr Oren – a true boffin – tells El Reg the snooping is best suited to small-time hackers.
“This is a very low-cost attack which would probably be used by small-time bad guys – the same creeps who bombard you with pop-up ads will probably add this to their popups so they can track you while they distract you,” Oren says.
“Our attack, which is an extension of the last-level cache attacks of (Adelaide University's) Yuva Yarom, allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser,” they say.
On Intel Core i7 Mac running OS X 10.10.2 and Firefox 35.0.1, the JS was able to map half the L3 cache in one minute, and about a quarter in roughly 30 seconds.
The research is very academic in nature, and not terribly practical, but challenges the assumption that most side-channel attacks require snoopers to be in close proximity to their victims, and be able to execute arbitrary native code.
The team reckons it's the first side-channel attack that easily scales to millions of targets – any modern Intel-powered PC running a HTML5 browser. AMD chips are mostly immune due to their cache design.
It gives new reach to side-channel attacks not previously thought possible, and emphasizes the need for side-channel resistant algorithms and systems.
Dr Oren will not release the attack code until the browsers are patched, and in the meantime recommends concerned punters shutter unused tabs when they are working on something important.
“In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says. ®