Security researchers have discovered a vulnerability in Apple products that can be abused to force the Safari browser to leak a user’s login credentials and other sensitive data to a hacker.
On Wednesday, a team of researchers—which includes Daniel Genkin, a cybersecurity professor at Georgia Tech—published a paper and website warning users about the threat. The vulnerability, dubbed “iLeakage,” affects Macs and iPhones from 2020 and onwards that were built with the company’s Arm-based A-series and M-series chips.
The flaw builds off an existing attack technique that’s been used on CPUs for the past six years. Back in 2018, security researchers disclosed that all modern CPUs can be manipulated to leak sensitive information by exploiting an integral feature on the processors called “speculative execution.”
Through speculative execution, a chip can essentially prefetch instructions, cutting down on load times. However, the same feature can pre-fetch sensitive data, which can be leaked through “side channels” on a PC, like the state of the memory cache, giving hackers a way to peek at the normally protected information.
Although the tech industry has developed various ways to lessen the threat, Genkin and his team discovered that speculative execution attacks can also affect Apple’s Arm-based chips. The threat allowed them to create a proof-of-concept attack using a malicious website that can essentially siphon protected information from the Safari browser.
(Credit: iLeakage paper)The attack works partly by harnessing the JavaScript window.open API. Researchers noticed the function can bring the victim’s website data into the same address space of their malicious website, giving them a way to read any leaked sensitive information from a targeted Mac or iPhone.
"Thus, we created an attacker page that binds window.open to an onmouseover event listener, allowing us to open any web page in our address space whenever the target has their mouse cursor on the page," the team's research paper says. "We note that even if the target closes the opened page, the contents in memory are not scrubbed immediately, allowing our attack to continue disclosing secrets."
In three video demos, the team showed the attack works if a user visits the malicious website. The page can then be triggered to open a new window to whatever website the hackers wants to siphon secrets from, like a Gmail inbox or a YouTube watch history. In one video, the malicious site opens a window for the Instagram login page. The attack then proceeds to steal the username and password autofilled with the user’s Safari browser.
The researchers warn the flaw also affects all browsers on iOS since Apple requires third-party browsers to use its WebKit engine on the operating system. Fortunately, the technique requires a high level of technical knowledge to pull off, which is perhaps the main reason why speculative execution attacks have never caught on in the cybercriminal community.
Ars Technica also notes a malicious website leveraging the iLeakage flaw needs “about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.”
The researchers notified Apple about the flaw over a year ago, in September 2022. But since then, the company has only developed a “mitigation” that has to be manually turned to protect the user, the team says. In addition, the mitigation—which isolates that threat via the window.open Javascript function—only applies to Macs.
However, Apple is indicating a more permanent fix is on the way. The company told PCMag it plans on addressing the threat in its next scheduled software release. For instructions on activating the mitigation, you can visit the iLeakage page.
"When Apple pushes the mitigation to production, we expect it to completely protect users from our attack," added Jason Kim, a PhD student at Georgia Tech, who worked on the team. "We have not heard from Apple on how their mitigation affects their browser performance benchmarks, or when the mitigations will be deployed to customers."