"The attack works by accessing information about screen display pixels through a hardware side channel ( GPU.zip), using a technique [PDF] described by security researcher Paul Stone in 2013. Stone's work described how SVG filters could be used in a timing attack [PDF] to read the pixel values from a web page in a cross-origin iframe, a method subsequently mitigated by iframe and cross-origin cookie restrictions."
"'Our group's prior work on GPU.zip (which we presented at S&P 2024) gave us a side channel to leak rendering data, including via Stone-style attacks,' said Alan Wang, a PhD candidate at UC Berkeley, in an email to The Register. 'Based on our experience with GPU.zip and after learning about Android's Custom Tabs API (from Tabbed Out, which was also presented at S&P 2024), we realized we might be able to revive the browser attacks, which then led to the app attacks.'"
Pixnapping leverages GPU-based side channels to extract pixel values of rendered content on Android devices. A malicious Android app can sample rendering data and reconstruct screen images from other apps and web pages without screenshot permission. Targets include Google Maps, Signal, Venmo, Gmail webpages, and Google Authenticator two-factor codes. The technique revives a 2013 SVG-filter timing attack adapted to modern GPU side channels (GPU.zip) and Android Custom Tabs behavior. Existing iframe and cross-origin cookie mitigations do not prevent this app-level pixel leakage. Platform-level fixes are required to stop unauthorized cross-app display data exfiltration.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]