Security News > 2023 > October > Side channel attacks take bite out of Apple silicon with iLeakage exploit

The attack can be launched against Macs, iPhones, and iPads running Apple's A-series or M-series chips.
For macOS, the attack only works on Safari, but for iOS and iPadOS, there's a much larger attack surface.
As Apple requires all browsers on its App Store to be based on WebKit, third-party browsers on Apple devices, like Chrome and Firefox, are essentially just Safari with proprietary wrappers on them that add functionality, and are therefore vulnerable to the attack.
With all the countermeasures bypassed and the conditions for a speculative execution attack in place, a real-world exploit of this would depend on a victim visiting an attacker-controlled web page set up to exploit iLeakage.
In attack scenarios on iPad, for example, the researchers showed that to steal Gmail data a victim would have to visit an attacker-controlled website and tap somewhere on that site that would open their Gmail inbox in a new tab.
If the attacker was able to trick a user into letting this lengthy attack take place on their device, they would be confident that anything returned would be valuable.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/10/26/ileakage_apple_exploit/
Related news
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks (source)
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)