Tacitcient99

twolf2919 said:

"...and disable JavaScript when not needed. Browser extensions that block scripts can also help." - anybody else find this advice useless?  Seems to me that you wouldn't be able to use a high level , interpreted language like Javascript to exploit a  machine instruction level  bug.

We train the M3 CPU's LVP via sandboxed JavaScript code running inside WebKit (Safari's browsing engine). When the mouse cursor is over our demo webpage, our proof-of-concept opens Proton Mail's inbox in a new window, but uses the same process to render the inbox. This brings the inbox content into the address space, making it accessible with a sandbox escape. Finally, we use the LVP to craft an arbitrary read primitive to anywhere in this address space, recovering the sender and subject lines shown on the inbox page.

from https://predictors.fail/