A new attack vector called iLeakage has been discovered by a group of academics. This vulnerability affects Apple products [3], specifically Macs and iPhones released from 2020 onwards. It allows attackers to extract sensitive information from Safari on Macs and all browsers on iOS devices.
Description
iLeakage utilizes speculative execution [7], a technique previously used in versions of Spectre [7]. Attackers can exploit this vulnerability through a malicious website that leverages JavaScript to secretly open another website chosen by the attacker and retrieve its content [4]. Apple has been aware of iLeakage for over a year and has marked a setting in macOS Safari as “unstable” that can mitigate the vulnerability, but it is off by default [7]. Users can enable Safari’s hidden debugging menu to protect themselves [7]. Apple has developed a mitigation for Macs, but it requires manual activation [3]. However, Apple plans to address the vulnerability in a future software release.
The discovery of iLeakage highlights the ongoing threats posed by hardware vulnerabilities [1]. While real-world attacks are unlikely due to the technical expertise required, the disclosure of this vulnerability means that hackers could potentially develop their own version of the attack or create similar attacks in the future. This news comes after the disclosure of other side-channel attacks and the discovery of RowPress [1], a variant of the RowHammer attack on DRAM chips [1].
Conclusion
Apple has released updates for its devices to fix security issues [5], but there is currently no fix for the iLeakage vulnerability [5]. However, there are mitigations available [5], such as Lock Down mode and disabling JavaScript execution. These mitigations come with limitations, such as affecting device performance or impacting the functionality of websites. Apple has implemented a manual mitigation method for macOS [2], but it is unstable and requires advanced user knowledge [5]. It is important to note that there is no evidence of iLeakage being exploited in the wild [5].
The researchers have notified Apple about the vulnerability [2] [3], and the company plans to release a more permanent fix in the future [2]. While the iLeakage attack requires a high level of technical knowledge and is not appealing to cyber criminals [2] [6], Apple is likely to patch the flaw soon [6]. There is already a toggle in macOS Safari to mitigate iLeakage [6], although it is off by default [6].
References
[1] https://thehackernews.com/2023/10/ileakage-new-safari-exploit-impacts.html
[2] https://www.techworm.net/2023/10/ileakage-attack-can-force-apple-safari-to-reveal-passwords.html
[3] https://uk.pcmag.com/security/149327/ileakage-flaw-can-prompt-apples-safari-to-expose-passwords-sensitive-data
[4] https://9to5mac.com/2023/10/26/ileakage/
[5] https://www.malwarebytes.com/blog/news/2023/10/ileakage
[6] https://www.speedguide.net/news/new-ileakage-attack-steals-emails-passwords-from-8197
[7] https://appleinsider.com/articles/23/10/25/ileakage-attack-resurrects-spectre-with-password-and-website-data-extraction
