However, WebAssembly is not immune to abuse. BleepingComputer reports the recent rise of in-browser cryptocurrency miners relied on the technology, and now there's a warning from Forcepoint researcher John Bergbom that upcoming improvements to WebAssembly could have unintended consequences. In short, these new features could render some of the Spectre and Meltdown mitigation patches useless:
"Once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate [JavaScript] timers can be created," Bergbom says, "that may render browser mitigations of certain CPU side channel attacks non-working."A WebAssembly developed told BleepingComputer that they're aware of this issue. At the moment, the rollout of this new feature has been put on hold, but no consensus has been reached on how to proceed.
In this statement, Bergbom is more accurately referring to "timing attacks," which are a class of side-channel attacks.
Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms.