Chrome SVG Filter Timing Attack Bypasses Same-Origin Policy (CVE-2016-5224)

Key Information Vulnerability Type: - Security: Timing attack via denormalized floating-point arithmetic in SVG filters, bypassing Same-Origin Policy Report Details: - Reporter: - Report Date: - Vulnerability Status: - Vulnerability Priority: - Vulnerability Severity: - Vulnerability Type: Vulnerability Details: - Arithmetic operations on denormalized floating-point values result in characteristic timing behavior. - When a parameter is denormalized, multiplying it by a pixel value of 0 executes measurably faster than multiplying it by a pixel value greater than 0. - This can be exploited by attackers as a timing channel to read pixels from images and iframes containing content from other origins. - Attackers can read any information or colors on other pages by measuring the timing difference between operations on black pixels and other colored pixels. Known Affected Filters: - - - - 世 - Previous Research: - This attack exploits specific values, which are processed differently by various CPUs. Similar attacks were described in "On Subnormal Floating-Point Numbers and Anomalous Timing," but researchers previously believed Chrome was not vulnerable. Mitigation Recommendation: - Ensure computations are not applied to denormalized values, as such operations do not actually require denormalized values and can be safely zeroed out. Version Details: - Chrome Version: - Operating System: - CPU: Reproduction Case: - A proof-of-concept exploit is provided to reproduce the vulnerability and read characters. Tags & CVE: - Badge: , , - CVE ID:

Goal Reached Thanks to every supporter — we hit 100%!

Chrome SVG Filter Timing Attack Bypasses Same-Origin Policy (CVE-2016-5224)