Google Publishes "Leaky.Page" Showing Spectre In Action Within Web Browsers

Written by Michael Larabel in Google on 12 March 2021 at 01:46 PM EST. 67 Comments
Google has published their proof-of-concept code showing the practicality of Spectre exploits within modern web browsers' JavaScript engines. The code is out there and you can even try it for yourself on the web-site.

Google's Leaky.Page code shows its possible to leak data at around 1kB/s when running their Chrome web browser on a Skylake CPU. The proof-of-concept code is catering to Intel Skylake CPUs while it should also work for other processors and browsers with minor modifications to the JavaScript. Google was also successful in running this Leaky.Page attack on Apple M1 ARM CPUs without any major changes.

Google also prototyped code capable of leaking data at a rate of 8kB/s but with lower stability. On the other side, they have proof-of-concept code using JavaScript timers that can leak at 60B/s.

Google's Leaky.Page PoC is a Spectre V1 gadget that is a JavaScript array that is speculatively accessed out of bounds. While the V1 gadget can be mitigated at the software level, Chrome's V8 team determined that other gadgets such as for Spectre Variant 4 to be "simply infeasible in software" for mitigating.

More details on Google's latest Spectre findings via the Google Security Blog. The proof-of-concept Spectre code can be found at

This week meanwhile the W3C published an editor's draft of web developer recommendations around Spectre.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week