Researchers at four top American universities have uncovered “GPU.zip,” a cunning exploit that abuses built-in data compression in graphics cards to steal sensitive visual information. Major manufacturers NVIDIA, AMD, Intel and others are affected.
In the proof-of-concept attacks, the researchers remotely extracted usernames from Chrome browser sessions in as little as 30 minutes by manipulating compression in AMD Ryzen GPUs. They warn that GPU.zip could let hackers quietly steal passwords, emails, or other private data from countless unsuspecting users.
Tech giants were alerted about the vulnerabilities back in March 2023. But six months later, no patches have been released, leaving worldwide users susceptible to potential cyber-attacks.
By weaponizing inherent data compression that is automatically applied— often without user knowledge — the exploit capitalizes on a little-known GPU feature intended for innocent performance enhancement.
While complex, GPU.zip poses a dire global threat. Any computer, phone, or tablet with integrated or dedicated graphics is vulnerable. Thanks to tighter browser security constraints, only Firefox and Safari offer some protection.