Spook.js attack bypasses Strict Site Isolation in Chrome to steal passwords

Security researchers from a collection of US and international universities have revealed details of Spook.js, a worrying transient execution side channel attack that can be used to bypass Chrome's Strict Site Isolation. Rolled out by Google in response to the Spectre security flaw, Strict Site Isolation is supposed to prevent unauthorized data theft. But the researchers found that malicious JavaScript code can be used to grab data -- such as passwords -- from other tabs. The attack has been found to affect Intel processors and Apple devices with M1 chips; AMD chips are also thought to be at risk, but… [Continue Reading]