Security News > 2023 > October > Side channel attacks take bite out of Apple silicon with iLeakage exploit
The attack can be launched against Macs, iPhones, and iPads running Apple's A-series or M-series chips.
For macOS, the attack only works on Safari, but for iOS and iPadOS, there's a much larger attack surface.
As Apple requires all browsers on its App Store to be based on WebKit, third-party browsers on Apple devices, like Chrome and Firefox, are essentially just Safari with proprietary wrappers on them that add functionality, and are therefore vulnerable to the attack.
With all the countermeasures bypassed and the conditions for a speculative execution attack in place, a real-world exploit of this would depend on a victim visiting an attacker-controlled web page set up to exploit iLeakage.
In attack scenarios on iPad, for example, the researchers showed that to steal Gmail data a victim would have to visit an attacker-controlled website and tap somewhere on that site that would open their Gmail inbox in a new tab.
If the attacker was able to trick a user into letting this lengthy attack take place on their device, they would be confident that anything returned would be valuable.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/10/26/ileakage_apple_exploit/
Related news
- New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers (source)
- Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (source)
- Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)