GPUs have a vulnerability now, as discovered by researchers with the infamous "Pixel-stealing" attack that is present among six major graphics card brands around the globe. This attack can access sensitive information on web browsers through pixels, and rendering this stolen information could retrieve data including usernames, passwords, and other possible figures.
This vulnerability is massive, with the threat actors using a cross-origin attack from a malicious website from one domain, allowing them to read pixels that could be rendered to steal information from unknowing users.
GPU Vulnerability: Sensitive Information Access Discovered
According to a release from researchers, there is now a vulnerability called "GPU.zip," one capable of accessing sensitive information via modern GPUs with an exploit that centers on graphical data compression.
"GPU.zip is a new type of side channel that exposes visual data processed on the graphics processing unit (GPU)," said the researchers.
With GPU.zip, threat actors may obtain information from a malicious webpage that would leak pixels from another webpage in various browsers, including Chrome or Edge. It violates the browser's security model.
The paper is now available in its preprint, with researchers from the University of Texas at Austin, Carnegie Mellon University, University of Washington, and the University of Illinois Urbana-Champaign working together to discover this.
'Pixel-Stealing Attack': GPU Brands Affected
The GPU brands affected by this vulnerability include AMD, Apple, Arm, Intel, Qualcomm, and one discrete GPU from NVIDIA.
According to the team, most circumstances would not expose users to this vulnerability, but access websites that enable embedded cross-origin like Wikipedia could potentially have their information obtained when another malicious page is open.
GPUs and their Security
Despite being hardware, graphics processing units (GPUs) are still vulnerable to attacks and hacks from the many threat actors and malicious elements in the world. Major brands have also been affected before, with NVIDIA sharing a previous attack done by the LAPSU$ group from South America which targeted its Ada Lovelace RTX 4000s.
Another company is AMD (Advanced Micro Devices), best known for their Radeon GPU series, as the company faced ransomware attacks from infamous groups.
Another incident with NVIDIA was seen in 2021, where the company advised the public to update their drivers for Windows 10 PCs that were discovered to be vulnerable to attacks before.
While it may be hard to believe that hardware can also be subjected to attacks despite no direct or local contacts, it is a problem that most companies face. In a recent study, GPUs are yet again vulnerable to access, with the pixel-stealing attack looking to copy what a user does on the internet from another malicious domain, capable of obtaining personal or sensitive information from the public.