image of breaking badness
Breaking Badness
Breaking Badness

168. Same-Origin of the Species

Coming up this week on Breaking Badness: ExGPUse Me, Ransomware the Wild Things Are, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

ExGPUse Me

  • Graphics Processing Units (GPUs) from all major suppliers are vulnerable attack exposing images thought to be private
  • This is another example of a side channel vulnerability, where aspects of how the hardware does certain tasks can be exploited to extract data that shouldn’t be available
    • In this case, what’s going on is that the GPUs can be made to leak actual on-screen content, the literal pixels that are drawn to compose a page, and in doing that, we can read data that we shouldn’t be able to
    • What it does essentially is that It applies a filter over the webpage and measures how long it takes to draw
    • By trying different patterns it can infer what’s being drawn over because the GPU will take different amounts of time to draw it depending on what it’s drawing over. This has to do with the compression algorithm for the on-screen data
  • This leakage violates the same-origin policy, one of the most fundamental security boundaries on the Internet
    • This policy goes back quite a few years, and it’s a browser security feature that restricts how documents and scripts on one origin (which is to say web domain) can interact with resources on another origin
    • This mechanism bears a particular significance for web apps that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions
    • A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity. Now, having said that, the way this vulnerability works is a little different from user session stealing
  • Malicious pages must be loaded onto Chrome or Edge browsers
    • There are three conditions that must be met in order for this attack to succeed: the browser must allow cross-origin iframes to be loaded with cookies, it must allow rendering SVG filters on iframes and finally it must delegate rendering tasks to the GPU
    • Chrome and Edge work this way, but Safari and Firefox do not
    • Now, this isn’t to say that there couldn’t be a variation on this exploit that could work in those browsers, but for now that’s not known to be the case and was not identified by these researchers
  • What is the severity of this type of attack?
    • GPU manufacturers are doing what they’re supposed to be doing, so we don’t think this calls for changes to the GPUs
    • This really emphasizes the importance of enforcing same-origin 
    • This takes a lot of time to pull off, so it’s not a practical exploit so far – so the severity is not very high – it’s kind of a point of interest, more of a clever finding
      • So for the time being, we don’t think this is something to necessarily worry about 
      • It points out these types of side channel exploits are endless, but this isn’t just a side channel vulnerability, it requires a same-origin violation as well

Ransomware the Wild Things Are

  • Johnson Controls International suffered a massive ransomware attack impacting the company and its subsidiaries’ operations
  • Johnson Controls is a massive multinational conglomerate dealing with access controls, physical security, fire alarms, HVAC facility management – they know a lot about many buildings out there 
  • How did this threat actor gain access?
    • We don’t know a whole lot yet – it’s still very early on in this investigation 
    • They’ve shared they’ve experienced disruptions in business
    • There is a group claiming this attack – Dark Angel – claiming they’ve pulled a bunch of sensitive data
  • Who is Dark Angel?
    • They are a ransomware group that’s been active since May 2022 
    • They are not too dissimilar from other ransomware operators – they want to get in and get out quickly 
    • They have 9 victims – they opened a leak site in April of this past year
      • Sysco and Saber are on that list of victims 
  • The Department of Homeland Security is involved in this attack as well
    • As it turns out, Johnson Controls is a vendor for the Federal Government and the building plans live within the four walls of their hard drives
    • There’s a decent amount of concern that the plans for certain facilities could be leaked – ones that people shouldn’t have access to
  • Had a government shutdown occurred, what would that have meant for this investigation?
    • In the event of a government shutdown, you’d have people looking into these things potentially sitting on the sidelines
    • Given the nature of this breach, it would not be good timing 
  • What is Johnson Controls doing to mitigate this breach?
    • Sought third party help and coordinating with their insurers 
    • This is a thing that happens to organizations and they’re running the standard playbook

This Week’s Hoodie/Goodie Scale

ExGPUse Me

[Taylor]: 3.7/10 Hoodies
[Tim]: 2/10 Hoodies

Ransomware the Wild Things Are

[Taylor]: 4/10 Hoodies
[Tim]: 3/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!