Security News > 2021 > June > NVIDIA Patches High-Severity GeForce Spoof-Attack Bug

NVIDIA gaming graphics software called GeForce Experience, bundled with the chipmaker's popular GTX GPU, is flawed and opens the door to a remote attacker that can exploit the bug to steal or manipulate data on a vulnerable Windows computer.

NVIDIA notified customers late last week of the bug and released a software patch for the flaw, which is present in its GeForce Experience Windows software.

The company warned: "NVIDIA GeForce Experience software contains a vulnerability where, if a user clicks on a maliciously formatted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session. Such an attack may lead to these targeted users' data being accessed, altered, or lost."

The spoofing attack vulnerability is tied to incorrect processing of "Special formatted links" in the NVIDIA GeForce Experience software.

"A remote attacker can create a specially crafted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session," according to a breakdown of the bug posted to Cybersecurity Help.

In March 2019, NVIDIA warned of security issues affecting its GeForce brand, including an issue affecting GeForce Experience in 2019 that could lead to code execution or DoS of products if exploited.

News URL

https://threatpost.com/nvidia-high-severity-geforce-spoof-bug/167345/