I'm not someone who's knowledgeable in processor/memory/hardware levels flaws. But I'm curious how either Meltdown or Spectre can be used against a webapp (assuming the attacker doesn't have access to the box). Just to clarify, I don't have any intention of trying to do this myself. I'm just looking for a high level explanation so I can understand the severity of this better.

From my understanding so far, the areas that I have to be most afraid of are attacks on my personal devices and servers living in AWS/Digital Ocean/etc. Personal devices are really vulnerable and easily accessible to hackers (via desktop apps, or even JS in the browser), while in the cloud someone could possibly attack from within their virtual machine and gain data from someone else's guest OS.

What I don't understand though is, how can someone gain use this vulnerability against me when all they have access to is my web application (or whatever I load for them in the browser). Is it possible at all? Put another way, as someone running a web app, as long as my cloud provider has updated their machines, what ways could I be attacked if I haven't updated my own OS that I run there?