Safari Vulnerability Exposes Personal Information on Apple Devices
Security researchers have recently discovered a major vulnerability named iLeakage in Apple’s iOS and macOS, including its Safari browser. This flaw allows threat actors to access Gmail messages, passwords, and other sensitive personal information. Although Apple has provided a mitigation, users must manually enable the fix. The vulnerability affects macOS and iOS devices running on Apple’s A-series or M-series CPUs, which includes modern iPhones, iPads, and laptops/desktops released since 2020. While Macs are only vulnerable when using Safari, mobile devices are at risk when using any browser.
How does the iLeakage vulnerability work?
The iLeakage vulnerability takes advantage of a transient execution side channel found in modern CPUs, called speculative execution. Attackers can exploit this by forcing the CPU to speculatively execute the wrong instructions, ultimately allowing them to read sensitive data from the cache. This vulnerability remains undetected in the wild as of October 27, 2023.
The iLeakage vulnerability was discovered by researchers Jason Kim and Daniel Genkin from the Georgia Institute of Technology, Stephan van Schaik from the University of Michigan, and Yuval Yarom from Ruhr University Bochum. According to the researchers, malicious JavaScript and WebAssembly running on an attacker’s webpage can access the content of the target webpage, extracting personal details, passwords, or credit card information. To demonstrate this, the researchers set up a website that opened a hidden window on the target’s device.
The researchers believe that the difficulty in orchestrating this vulnerability, which requires detailed knowledge of Safari and browser-based side channel attacks, explains why it has not been exploited in the wild. However, it is crucial to be aware of iLeakage due to its novel nature and the large number of potentially affected devices. TechRepublic has reached out to the researchers for further information.
How to defend against iLeakage on Apple devices
Apple has implemented a mitigation for iLeakage in macOS Ventura 13.0 and newer releases, but enabling it requires some effort. Users can follow the instructions on the iLeakage website under “How can I defend against iLeakage?” to access Safari’s debugging menu. From there, they can find WebKit’s internal features and disable swap processes on cross-site window openings, rendering the iLeakage exploit ineffective.
Alternatively, entering Lockdown Mode or disabling JavaScript can also prevent iLeakage attacks. However, these measures may cause certain features of Safari to cease functioning properly. It is important to note that iLeakage is difficult to trace, as it does not appear in the system’s log files and exists solely within Safari. Evidence of an attacker’s website hosting iLeakage may be found in Safari’s browser cache of recently visited pages, if an attack has already occurred.
