New iLeakage attack steals emails, passwords from Apple Safari2023-10-26 15:59 by Daniela
Tags: iLeakage, Apple, Safari
Academic researchers have recently discovered and named a new speculative side-channel attack called iLeakage, which has the potential to extract sensitive information from the Safari web browser on all recent Apple devices. This marks the first demonstration of a speculative execution attack against Apple Silicon CPUs and the Safari browser. It can be used to retrieve with "near perfect accuracy" data from Safari, as well as Firefox, Tor, and Edge on iOS.
The researchers warn the flaw also affects all browsers on iOS since Apple requires third-party browsers to use its WebKit engine on the operating system. Fortunately, the technique requires a high level of technical knowledge to pull off, which is perhaps the main reason why speculative execution attacks have never caught on in the cybercriminal community.
It's expected that Apple will be able to patch the flaw before attackers are able to replicate the work carried out by the security researchers to discover how to exploit it. Indeed, the fact that they have chosen to share as much information as they have in advance of a patch is a sign of that confidence.
Users don't need to panic about iLeakage. A future update will likely address the iLeakage attack vector, and there is already a toggle in macOS Safari that mitigates iLeakage - though it's off by default.
Read more -here-