Hackers could steal your data via an unpatched GPU pixel-stealing attack. Though that 'could' is doing some real heavy lifting

News
By published

All GPUs are affected.

Graphics cards on a green background
(Image credit: Future)

A potentially scary, though difficult to implement side-channel attack that could allow malicious websites to read and extract sensitive data has broken cover. The vulnerability affects all GPU manufacturers across devices ranging from PCs, to laptops and phones.

According to a paper released by researchers from four American universities (via Ars Technica), the so-called GPU.zip attack relates to GPU compression data. This is proprietary so it would require a hacker to have a deep knowledge of GPU compression algorithms, which are closed in nature and would require reverse engineering. That's no mean feat for a start.

A malicious website can then use a cross-origin SVG (scalable vector graphics) filter to read the pixels displayed by another website.  It works by visiting a website with embedded iframe HTML elements. The iframe links to the cross-origin webpage allowing a hacker to extract information as it appears on the screen, one pixel at a time.

But it's also web browser dependent. According to the researchers, Firefox and Safari don't meet the requirements for GPU.zip to work, so chalk one up to them I guess. 

As for a fix, it's believed the GPU manufacturers are pushing for a software solution. In a statement provided to Bleeping Computer, an Intel spokesperson was quoted as saying: "While Intel hasn't had access to the researcher's full paper, we assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third party software." 

Your next upgrade

Nvidia RTX 4070 and RTX 3080 Founders Edition graphics cards

(Image credit: Future)

Best CPU for gaming: The top chips from Intel and AMD.
Best gaming motherboard: The right boards.
Best graphics card: Your perfect pixel-pusher awaits.
Best SSD for gaming: Get into the game ahead of the rest.

There's no need to panic. Hackers have much easier ways of stealing your data, being the lazy grubs they are. Most websites hosting sensitive information don't allow cross-origin embedding in the first place. Though the proof-of-concept attack was done via Wikipedia, so it's not just super obscure sites.

While this attack is not one that will require you to immediately pull the power plug on your PC, it's just another reminder of the ongoing security arms race. It's another example of hardware optimizations opening up vulnerabilities to side-channel attacks.

New and novel ways to rip people off will never stop. So yeah, always keep your software and OS up to date, and steer clear of particular dodgy websites. 

Chris Szewczyk
Chris Szewczyk
Hardware Writer

Chris' gaming experiences go back to the mid-nineties when he conned his parents into buying an 'educational PC' that was conveniently overpowered to play Doom and Tie Fighter. He developed a love of extreme overclocking that destroyed his savings despite the cheaper hardware on offer via his job at a PC store. To afford more LN2 he began moonlighting as a reviewer for VR-Zone before jumping the fence to work for MSI Australia. Since then, he's gone back to journalism, enthusiastically reviewing the latest and greatest components for PC & Tech Authority, PC Powerplay and currently Australian Personal Computer magazine and PC Gamer. Chris still puts far too many hours into Borderlands 3, always striving to become a more efficient killer.