Yoodley is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

There is a new attack devised by researchers that can lead to the revealing of different sensitive Apple device data. The technique involves the use of Safari for Macs but will reportedly work with any browsers used on iPhones and iPads.

There’s currently no patch for the flaw, and it only reportedly needs minimal physical resources to be performed. Yet, it also requires technical expertise and complex Apple hardware reverse-engineering knowledge, making the attack less likely to be performed by just anyone.

Called iLeakage, the attack focuses on the exploitation of a side-channel vulnerability. The researchers who have proof of concept of the attack implemented it as a website, which, when visited by a vulnerable Apple device, could lead to the fulfillment of the attack. According to the paper presented, researchers managed to recover different data using this technique.

“We present iLeakage, a transient execution side channel targeting the Safari web browser present on Macs, iPads and iPhones,” the researcher shared on the iLeakage website. “iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery. We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution. In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.”

Currently, there’s still no CVE assigned to the flaw. Yet, Arstechnica shared in a report that the iPhone maker acknowledged the attack, with a representative saying that it “advances the company’s understanding.” According to the outlet, Apple also “plans to address it in an upcoming software release.”


Please enter your comment!
Please enter your name here