Hackers could steal your data via an unpatched GPU pixel-stealing attack. Though that 'could' is doing some real heavy lifting

Graphics cards on a green background
(Image credit: Future)

A potentially scary, though difficult to implement side-channel attack that could allow malicious websites to read and extract sensitive data has broken cover. The vulnerability affects all GPU manufacturers across devices ranging from PCs, to laptops and phones.

According to a paper released by researchers from four American universities (via Ars Technica), the so-called GPU.zip attack relates to GPU compression data. This is proprietary so it would require a hacker to have a deep knowledge of GPU compression algorithms, which are closed in nature and would require reverse engineering. That's no mean feat for a start.

A malicious website can then use a cross-origin SVG (scalable vector graphics) filter to read the pixels displayed by another website.  It works by visiting a website with embedded iframe HTML elements. The iframe links to the cross-origin webpage allowing a hacker to extract information as it appears on the screen, one pixel at a time.

But it's also web browser dependent. According to the researchers, Firefox and Safari don't meet the requirements for GPU.zip to work, so chalk one up to them I guess. 

As for a fix, it's believed the GPU manufacturers are pushing for a software solution. In a statement provided to Bleeping Computer, an Intel spokesperson was quoted as saying: "While Intel hasn't had access to the researcher's full paper, we assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third party software." 

Your next upgrade

Nvidia RTX 4070 and RTX 3080 Founders Edition graphics cards

(Image credit: Future)

Best CPU for gaming: The top chips from Intel and AMD.
Best gaming motherboard: The right boards.
Best graphics card: Your perfect pixel-pusher awaits.
Best SSD for gaming: Get into the game ahead of the rest.

There's no need to panic. Hackers have much easier ways of stealing your data, being the lazy grubs they are. Most websites hosting sensitive information don't allow cross-origin embedding in the first place. Though the proof-of-concept attack was done via Wikipedia, so it's not just super obscure sites.

While this attack is not one that will require you to immediately pull the power plug on your PC, it's just another reminder of the ongoing security arms race. It's another example of hardware optimizations opening up vulnerabilities to side-channel attacks.

New and novel ways to rip people off will never stop. So yeah, always keep your software and OS up to date, and steer clear of particular dodgy websites. 

Chris Szewczyk
Hardware Writer

Chris' gaming experiences go back to the mid-nineties when he conned his parents into buying an 'educational PC' that was conveniently overpowered to play Doom and Tie Fighter. He developed a love of extreme overclocking that destroyed his savings despite the cheaper hardware on offer via his job at a PC store. To afford more LN2 he began moonlighting as a reviewer for VR-Zone before jumping the fence to work for MSI Australia. Since then, he's gone back to journalism, enthusiastically reviewing the latest and greatest components for PC & Tech Authority, PC Powerplay and currently Australian Personal Computer magazine and PC Gamer. Chris still puts far too many hours into Borderlands 3, always striving to become a more efficient killer.

Read more
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Nvidia RTX 4090 Founders Edition graphics card
A single RTX 4090 managed to brute force crack an Akira ransomware attack in just 7 days
An artist’s illustration of NASA’s James Webb Space Telescope revealing, in the infrared, a population of small main-belt asteroids.
GPUs powering AI will probably be the end of us all but at least they're being used to find small city smashing asteroids before they do
Jensen Huang, co-founder and chief executive officer of Nvidia Corp., speaks while holding the company's new GeForce RTX 50 series graphics cards and a Thor Blackwell robotics processor during the 2025 CES event in Las Vegas, Nevada, US, on Monday, Jan. 6, 2025. Huang announced a raft of new chips, software and services, aiming to stay at the forefront of artificial intelligence computing. Photographer: Bridget Bennett/Bloomberg via Getty Images
Big AI beasts reportedly delay Nvidia Blackwell orders due to GPU overheating but it doesn't worry us for RTX 50 gaming cards
The PCIe slot on an Asus ROG Strix B850-F Gaming WiFi motherboard, showing the Q-release latch for GPUs.
A variant of Asus' Q-release system has been accused of grinding GPU contact pins and the thought is making my teeth hurt
Latest in Graphics Cards
A Gigabyte RTX 5070 Ti Eagle OC Ice on a desk and installed in a gaming PC.
Gigabyte GeForce RTX 5070 Ti Eagle OC Ice SFF review
An MSI RTX 5080 in white installed in a gaming PC.
MSI GeForce RTX 5080 Ventus 3X OC White review
Nvidia App
Hmmm, upgrades: Nvidia App gets an optional AI assistant and custom DLSS resolution scaling
A close-up photo of an Nvidia RTX 4070, with its heatsink removed, showing the AD104 GPU die and the surrounding Micron GDDR6X VRAM chips
With Nvidia Ace taking up 1 GB of VRAM in Inzoi, Team Green will need to up its memory game if AI NPCs take off in PC gaming
A collage of Radeon RX 9000 series graphics cards, as shown in AMD's promotional video for the launch of RDNA 4 at CES 2025
AMD's CEO claims 9070 XT sales are 10x higher than all previous Radeon generations but that's just for the first week of availability
Colorful iGame RTX 5070 Ti Vulcan OC graphics card from various angles
The RTX 5060 and RTX 5060 Ti are rumoured to be mere weeks away, with board partners reportedly required to ensure at least one MSRP model at launch
Latest in News
A witch riding a broom sails past a Fish and Chips shop.
Cozy gamers rejoice: Witchbrook finally has a release window, and yes, you can fly around on a broom with your friends
starcraft 2 face
StarCraft fans taunted by the announcement of a new StarCraft... board game
kingdom come: deliverance 2 henry looks confused
'Medieval Batman' completes Kingdom Come: Deliverance 2 pacifist playthrough with zero kills and 535 knockouts
SUQIAN, CHINA - OCTOBER 6, 2024 - Illustration Tencent's plan to buy Ubisoft, Suqian, Jiangsu province, China, October 6, 2024. (Photo credit should read CFOTO/Future Publishing via Getty Images)
Ubisoft and Tencent are forming a new company that will take control of its most successful franchises: Assassin's Creed, Far Cry, and Rainbow Six
The Huntress holding a bloody spear.
The biggest update since Path of Exile 2's early access launch is coming next week, bringing a new class and a bunch of endgame changes
Key art for the Ranger class in Path of Exile 2
Path of Exile 2 director isn't worried about ARPG competition, in part thanks to seasons: 'So long as people are willing to come back and play our game for a month four times a year, then I'm good'