Security researchers have discovered what appears to be the first browser side-channel attack that's Javascript-free, and Apple M1 chips may be more vulnerable to it.
Credit: Andrew O'Hara, AppleInsider
The attack is built entirely from HTML and CSS, and is described as "architecturally agnostic." The researchers say they've found it to work across Intel, Samsung, AMD, and Apple Silicon CPUs, according to
The 8-Bit.
According to a research paper published by Cornell University, the researchers say they started with the goal of exploring how effective disabling or restricting JavaScript could be in mitigating attacks.
Through the course of their research, the team was able to create a new side-channel proof of concept built entirely in CSS and HTML, which could open the door to "microarchitectural website fingerprinting attacks." It works even if script execution is completely blocked on a browser, they said.