New GPU Attack Can Steal Pixel Data Across Sites, Highlighting Privacy Risks

GPUs from all major suppliers are vulnerable to a new cross-origin pixel-stealing attack that can read sensitive visual data from other sites.

The attack allows a malicious site to effectively reconstruct words or images displayed on a different domain, violating the same origin policy.

The attack currently only works in Chrome and Edge browsers due to specific features that allow cross-origin iframe embedding.

The attack is not an immediate threat but a concerning proof of concept that proper browser protections like X-Frame-Options can prevent.

Chipmakers claim the root cause is not in GPUs but rather third-party software, while browser vendors are looking into further protections.