Almost all top GPUs are at risk of this dangerous cyberattack - here’s what you need to know

Hackers could use your GPU to read your password

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A flaw in GPU units from all major manufacturers could allow hackers to read sensitive data displayed in browsers, experts have warned.

The vulnerability in question is called GPU.zip, and allows for cross-origin attacks. In essence, a hacker could create amaliciouswebsite that tracks how long the GPU takes to render a separate website, and use that information to reconstruct that second page, pixel by pixel. That way, the malicious website could read sensitive content such as usernames, passwords, and other sensitive data.

This is a brutal oversimplification of the findings, and those who would like to learn more about the technical aspects of the flaw should read the paperhere. However, GPU vendors have downplayed the importance of the findings and argue that it’s not something that needs addressing - at least not from their end.

“Soft” reaction from the OEMs

Even the media are suggesting that abusing the vulnerability is a long shot, because plenty of conditions need to be met for the attack to be successful.

Firstly, the browser must allow cross-origin iframes to be loaded with cookies, SVG filters to be rendered on them, and delegate rendering tasks to the GPU. It’s also worth mentioning that the flaw only works on Chrome and Edge browsers;Safariand Firefox are both safe.

Googlehas already responded to the claims, saying that, “widely adopted headers can prevent sites from being embedded, which prevents this attack,” adding that it has no plans to make any changes.

Intelalso added that the problem is not with the GPUs themselves but with third-party software, and thus would not be taking action. For Qualcomm, “the issue isn’t in our threat model” as it “can be resolved by the browser application.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaArs Technica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

I’ve been covering Apple Watch deals for years – This is the one model most people should buy on Black Friday