iPhone and Mac users beware - this dangerous new iOS and macOS security flaw might see you give up your password without knowing

News
By published

Researchers find a way to infiltrate iPhone and Mac devices

Best iPhone VPN
Håll dig säker när du surfar online på din iPhone eller iPad - här är de bästa VPN-tjänsterna för iPhone. (Image credit: Shutterstock / Neirfy)

For hackers and cybercriminals, speculative execution is a gift that keeps on giving. 

In the latest development, researchers used the technique to steal passwords and other sensitive content from Apple devices via a side channel vulnerability - to target Macs, iPhones, and iPads, running A- and M-series CPUs with the latest iOS and macOS operating systems.

They named the flaw iLeakage, and what's more worrying is that it doesn’t have a CVE, or a patch, just yet, meaning iPhone and Mac users could still be at risk.

iLeakage

For demonstration purposes, the researchers created a new website. When a visitor with a vulnerable endpoint visits that website, a piece of JavaScript code opens a second website and recovers site content rendered in a pop-up. Through that second website, the attackers are able to pull sensitive data from different services the victim is logged into - from YouTube, to Gmail, and more. Even passwords being autofilled by password managers aren’t safe. 

Apparently, the iLeakage site needs around five minutes to profile the target and less than a minute to extract a 512-bit secret. 

“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers said. 

“In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.” Safari is used as means of attack only on Macs. For iPhone and iPad devices, any browser will do, as they’re all built on Apple’s WebKit browser engine. 

Speculative execution is a feature built into most of today’s hardware, to enhance its speed. In layman’s terms, a chip will try to guess what the next operation will be and will preload it in anticipation. If it speculated correctly, it can execute the operation quickly, thus improving the device’s overall speed. This feature has also been at the center of a number of controversies, starting with two huge vulnerabilities discovered roughly five years ago - Spectre and Meltdown. Patching the flaws meant slowing the devices down.

While iLeakage sounds dangerous, Ars Technica argues that it’s highly unlikely to be exploited in the wild as it requires plenty of experience and knowledge on how to reverse-engineer A- and M-series chips to gain insights into the side channel they contain. “There’s no indication that this vulnerability has ever been discovered before, let alone actively exploited in the wild,” the publication concludes.

Via ArsTechnica

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Apple users facing new security risks after critical USB component hacked
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Compal Adapt X modular laptop

One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework
See more latest
Most Popular
Compal Adapt X modular laptop
One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework
Anycubic foldable portable 3D printer
Anycubic may launch this gorgeous foldable portable 3D printer any day soon, and I can't wait to try it out
HP Fury G1i 18"
'2-inches gets you 30% more screen': HP is pitching 18-inch laptop as the best new thing in tech
Framework Desktop
Framework's Desktop is selling like hot cakes; Ryzen Max+ 395, Max 383 batches are sold out with next shipment in Q3
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
A person using a smartphone with an ecommerce website showing on a laptop.
Consumers are warming up to AI assistants, survey finds - 1/3 of us would allow AI to make purchases
A bloodied Mark staring at an off-screen Helly as Gemma screams at him from behind an exit door in Severance season 2 episode 10
Severance season 3: everything we know so far about the wildly popular Apple TV+ show's next chapter