October 26, 2023 at 01:47PM
University researchers have developed a new exploit called iLeakage that can steal information from Apple Macs, iPhones, and iPads. The exploit targets Apple’s Safari browser and can steal secrets such as Gmail inbox data, text messages, and watch histories from YouTube. It can be launched against devices running Apple’s A-series or M-series chips. Third-party browsers on Apple devices are also vulnerable to the attack. Researchers have disclosed their findings to Apple, and a mitigation is available for macOS. However, the real-world applicability of this attack is limited due to user behavior and slow data exfiltration speed.
The meeting notes discuss a new exploit called “iLeakage” that targets Apple devices running Mac OS, iOS, and iPad OS. The exploit takes advantage of a side channel vulnerability related to speculative execution in Apple’s A-series and M-series chips. The attacker can steal various types of information, including Gmail inbox data, text messages, and password credentials. The exploit affects Safari, as well as third-party browsers on Apple devices that are based on WebKit. The researchers disclosed their findings to Apple on September 12, 2022, but Apple has not provided a response yet. There is a mitigation available for macOS, but it is not enabled by default. The exploit’s real-world applicability is limited due to user behaviors and the slow rate of data extraction.