A team of academic researchers has published a technical paper and have warned the users about a security threat that exploits weaknesses in recent Apple devices that can be used to extract sensitive information from Apple’s Safar web browser.
The flaw dubbed as iLeakage, exploits a speculative execution vulnerability in Safari installed on recent model Macs, iPads and iPhones with Apple A and M series CPUs. Speculative execution is a technique that modern processors use to improve performance by executing instructions before it is known whether they are necessary. This can lead to security vulnerabilities if the speculative execution is not properly controlled.
An attacker does need to trick a potential victim into visiting a malicious website. The attack path could include phishing links sent through email asking potential victims to reset passwords or other malicious activities.
The researchers, from the University of Michigan, Georgia Institute of Technology and Ruhr University Bochum, warn that iLeakage is a serious security vulnerability that can be exploited by attackers to steal sensitive information from Safari users.
Apple has implemented a mitigation for iLeakage in Safari. However, it’s not enabled by default and enabling it is possible only on macOS. Added to the mix is that the mitigation is currently marked as unstable.
This illustrates how, for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.