Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC's processor caches, that means your internet security is under threat.
The exploit is apparently effective against machines running a late-model Intel CPU, such as a Core i7, and a HTML5-happy browser – so perhaps about 80 percent of desktop machines.
On Intel Core i7 Mac running OS X 10.10.2 and Firefox 35.0.1, the JS was able to map half the L3 cache in one minute, and about a quarter in roughly 30 seconds. The security research is very academic in nature, and not terribly practical, but challenges the assumption that most side-channel attacks require snoopers to be in close proximity to their victims, and be able to execute arbitrary native code.
The team reckons it's the first side-channel attack that easily scales to millions of targets – any modern Intel-powered PC running a HTML5 browser. AMD chips are mostly immune due to their cache design. It gives new reach to side-channel attacks not previously thought possible, and emphasizes the need for side-channel resistant algorithms and systems. Dr Oren will not release the attack code until the browsers are patched, and in the meantime recommends concerned punters shutter unused tabs when they are working on something important. “In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says.
110 Reykjavik, Iceland