WebGPU Vulnerability Leaves Graphics Cards Exposed to Data Theft
Researchers from the Institute of Applied Information Processing and Communications at Graz University of Technology (TU Graz) have exposed a critical security flaw within the WebGPU browser interface.
Their research successfully demonstrated three side-channel attacks on graphics cards, while engaged in regular web browsing, potentially compromising sensitive user data.
As web sites and web apps demand greater processing power, browsers often use a computer’s Graphics Processing Unit (GPU) in addition to the CPU. And the main browser language, JavaScript can access the GPU via interfaces like WebGL and WebGPU, potentially opening the door to vulnerabilities. The TU Graz team exploited malicious JavaScript code within WebGPU to successfully spy on sensitive information, including key logging or getting encryption keys.
Tests on NVIDIA’s GTX and RTX series, as well as AMD’s RX 6000, revealed also a vulnerability for cache-based attacks.
An Alert, But Not Entirely A Red Alert (pun intended)
As WebGPU continues to evolve, the major browsers like Chrome and Firefox eagerly offer support. (Edge, of course, carries the heavy baggage of Internet Explorer’s reputation, it shan’t be named in our list).
Yet, a critical trade-off emerges, rapid development often sidelines security. Researchers urge browser manufacturers to prioritize GPU access security, but the industry’s relentless pace, like countless fast pace development examples, often favors a large number of new features over stabilization and protection for the existing ones. This fosters a troubling “don’t fix it unless it’s broken” mentality.
And usually, it’s shipped broken.
In 2024, while headlines scream about “AI overlords” stealing our jobs, there is half a truth in that, while the other half is: software quality is declining in security, usability, and performance.