Highlights:
- Phishing links sent through email that ask potential victims to reset their passwords or do something similar could be part of the attack path.
- Apple has made changes to Safari to stop iLeakage. Nonetheless, this protection is not activated by default and can only be enabled on macOS.
An academic research team has released a paper and website alerting users to a security risk that takes advantage of vulnerabilities in recent Apple Inc. devices. These vulnerabilities can be exploited to retrieve sensitive information from Apple’s Safari web browser.
Referred to as “iLeakage,” this vulnerability leverages a “speculative execution” vulnerability within Safari, which is found on modern Macs, iPads, and iPhones equipped with Apple A and M series CPUs. Speculative execution is a modern processor technique aimed at enhancing performance by executing instructions before it’s confirmed whether they are required. If speculative execution isn’t adequately controlled, it can result in security vulnerabilities.
An attacker must deceive a potential victim into visiting a malicious website to exploit the vulnerability. Phishing links sent through email that ask potential victims to reset their passwords or do something similar could be part of the attack path.
After luring a victim to the malicious site, attackers can employ JavaScript or WebAssembly to access and read the content of other web pages that the user has opened in Safari. This content may encompass personal information, passwords, or credit card details.
The researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum emphasize that iLeakage poses a significant security risk, as attackers can exploit it to steal sensitive data from Safari users.
Apple has made changes to Safari to stop iLeakage. Nonetheless, this protection is not activated by default and can only be enabled on macOS. Furthermore, it’s worth noting that the mitigation is currently labeled as unstable.
Lionel Litty, Chief Security Architect at Menlo Security Inc., a company that makes browser security, said, “This attack illustrates how, for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.”
Vice President of Viakoo Labs at enterprise IoT security platform company Viakoo Inc., John Gallagher, said, “The significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security.”
“Prefetching of information to speed up CPU execution has been around for a while and equally has been exploited for a while,” John Gallagher explained. “This is just a further ‘tit for tat’ and will be remediated in future CPU development.”