Depends how automated it can be. I know some non-spectre 0-days were used broadly, either via viruses or port-scanning. Is it possible to craft some JS that'll use a spectre-like vuln to reliably grab something important like Chrome passwords or credit cards? Idk, it's hard to prove otherwise, and hackers have more time to think about this than I do.

> Is it possible to craft some JS that'll use a spectre-like vuln to reliably grab something important like Chrome passwords or credit cards?

Probably, but there’s a huge luck element involved, at least with spectre. It’s difficult to guide the speculative execution to read exactly what you want it to read, assuming you even know where it is. As a result you need to spend quite a bit of time on a single target before you’re likely to actually get the data you want. Even then, there’s likely a significant element of human analysis to assemble something useful from all the noise.

So yes, it’s almost certainly possible. But exploits don’t exist in a vacuum. If you’re expending that much effort to get credit card numbers, then quite frankly you’re a fool, because good old phishing attacks and other social engineering attacks are easier, more reliable, and above all, cheaper.

At the end of the day, crime is a business like any other, profitability and margins are king. You don’t waste time perfecting attacks that have significantly smaller margins than your existing attacks. The only exception to that is nation states, because they aren’t motivated by directly extracting cash from victims, and ultimately that’s what makes nation state actors so dangerous.