Security News > 2023 > October > Side channel attacks take bite out of Apple silicon with iLeakage exploit

The attack can be launched against Macs, iPhones, and iPads running Apple's A-series or M-series chips.

For macOS, the attack only works on Safari, but for iOS and iPadOS, there's a much larger attack surface.

As Apple requires all browsers on its App Store to be based on WebKit, third-party browsers on Apple devices, like Chrome and Firefox, are essentially just Safari with proprietary wrappers on them that add functionality, and are therefore vulnerable to the attack.

With all the countermeasures bypassed and the conditions for a speculative execution attack in place, a real-world exploit of this would depend on a victim visiting an attacker-controlled web page set up to exploit iLeakage.

In attack scenarios on iPad, for example, the researchers showed that to steal Gmail data a victim would have to visit an attacker-controlled website and tap somewhere on that site that would open their Gmail inbox in a new tab.

If the attacker was able to trick a user into letting this lengthy attack take place on their device, they would be confident that anything returned would be valuable.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/26/ileakage_apple_exploit/