Ask HN: Real-World Breaches from Speculative Execution Vulns?

No, for two reasons. First is that software vulnerabilities are so much more prevalent that in the real world, it would be a wasted effort to attempt to exploit these hardware side-channel vulnerabilities. There&#x27;s much lower-hanging fruit elsewhere.<p>Second is that for the most vulnerable attack scenarios, they were mitigated long before the public release of Spectre and Meltdown. The big one was cloud computing - attackers being able to exfiltrate data from VMs running on the same host. Microsoft, Amazon and Google had many months in which to roll out updates to their infrastructure that enhanced VM isolation. Similar for browser vendors, for example Chromium introducing Site Isolation. And operating system developers - mitigations for Windows kernel and Linux were being tested for months before public disclosure.

I don’t think so. Probably because it’s still much easier to get users to install ransomware by phishing or by disseminating USB sticks.

Keep in mind that &quot;breach&quot; here is limited to an <i>information leak</i>. Passwords could be read to achieve a privilege escalation; but a more likely attack would be stealing private keys or other sensitive information. The latter would leave no trace on the target system. So how would you know if your private keys or passwords had been stolen?

Presumably, some malware have been trying to exploit this: <a href="https:&#x2F;&#x2F;www.techrepublic.com&#x2F;article&#x2F;spectre-and-meltdown-flaws-being-exploited-by-more-than-100-strains-of-malware&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.techrepublic.com&#x2F;article&#x2F;spectre-and-meltdown-fl...</a><p>I&#x27;ve never seen them in the wild.