October 26, 2023 at 12:21PM
Researchers have discovered a new side-channel attack called iLeakage that exploits Safari to extract sensitive information from Macs and iPhones. The attack requires the user to be lured to a malicious website, which then automatically opens the targeted site. The researchers demonstrated how it can steal passwords, Instagram credentials, email subject lines, and YouTube watch history. Apple has been informed of the issue and plans to address it in an upcoming software release. Although iLeakage is not easy to execute, it is difficult to detect and poses a threat.
Key Takeaways from the Meeting Notes:
1. A new Spectre-style side-channel attack called iLeakage has been discovered by academic researchers.
2. iLeakage exploits Safari to steal sensitive information from Macs and iPhones.
3. The attack requires the user to be lured to a malicious website, which then opens the targeted site to steal information.
4. The attack was discovered by researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum.
5. The attack can be used to obtain passwords and other sensitive information.
6. Apple has been notified of the issue but has only provided a mitigation for Safari on macOS, which is not enabled by default and is unstable.
7. Apple plans to address the issue in its next software release.
8. The iLeakage attack is difficult to detect and does not leave any trace in system log files.
9. On macOS, iLeakage only affects Safari, while on iOS it can impact other browsers as well.
10. The researchers note that the iLeakage attack demonstrates that the Spectre attack is still relevant and exploitable.