Security News > 2023 > October > Side channel attacks take bite out of Apple silicon with iLeakage exploit
The attack can be launched against Macs, iPhones, and iPads running Apple's A-series or M-series chips.
For macOS, the attack only works on Safari, but for iOS and iPadOS, there's a much larger attack surface.
As Apple requires all browsers on its App Store to be based on WebKit, third-party browsers on Apple devices, like Chrome and Firefox, are essentially just Safari with proprietary wrappers on them that add functionality, and are therefore vulnerable to the attack.
With all the countermeasures bypassed and the conditions for a speculative execution attack in place, a real-world exploit of this would depend on a victim visiting an attacker-controlled web page set up to exploit iLeakage.
In attack scenarios on iPad, for example, the researchers showed that to steal Gmail data a victim would have to visit an attacker-controlled website and tap somewhere on that site that would open their Gmail inbox in a new tab.
If the attacker was able to trick a user into letting this lengthy attack take place on their device, they would be confident that anything returned would be valuable.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/10/26/ileakage_apple_exploit/
Related news
- FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks (source)
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- New DoubleClickjacking attack exploits double-clicks to hijack accounts (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- New Web3 attack exploits transaction simulations to steal crypto (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)