A new technology uses the iFrame vulnerability to steal data from web pages

An iFrame, short for inline frame, is an HTML element that can be used to embed content from another website into your own web page or other website. For example, you can use an iFrame to embed a video from YouTube or a map from Google Maps into your web page.

Researchers have recently discovered security vulnerabilities in graphics cards from every manufacturer that could allow hackers. Icons can be stolen from websites that use iFrame, and researchers have reported this to the manufacturer. But there was no progress.

This vulnerability affects Chrome and Edge web browsers and affects both integrated and discrete graphics cards, including AMD, Intel, Nvidia, Apple, Arm, and Qualcomm.

The attack technique, called GPU.ZIP, starts with a malicious website that uses a trick to embed iFrames on another website. If a user clicks and allows the iFrame to load with a cookie and display SVG filters on the GPU, a malicious site can steal the rendered pixels and decrypt them. This will reveal your username, password, and other important information.

Fortunately, most websites that handle sensitive data prohibit embedding iFrames, except for public sites like Wikipedia, which can.

Instructions for users are
+ Be careful about the sites we visit. Are you trying to convince us to allow different parts?
+ If we are concerned about this vulnerability we can use browser extensions to block iFrames.

Data source

Leave a Reply

Your email address will not be published. Required fields are marked *