New Safari Exploit Raises Concerns About iOS Security

Researchers have discovered a new cybersecurity threat named iLeakage, targeting Apple devices with A- and M-series processors. This threat, which affects devices running iOS, iPadOS, and macOS, leverages a vulnerability in these CPUs to siphon sensitive data from the Safari web browser.

By manipulating Safari to load a specific webpage, attackers can utilize speculative execution—a CPU performance optimization feature—to extract information like Gmail inbox contents and auto-filled passwords.

iLeakage is notably the first attack of its kind aimed at Apple Silicon CPUs and affects all third-party iOS and iPadOS web browsers due to Apple’s policy requiring the use of Safari’s WebKit engine. Apple was informed about this issue on September 12, 2022, with all devices released from 2020 onwards being susceptible.

The exploit works by embedding malicious JavaScript or WebAssembly in a webpage. When a user navigates to this page, the attacker can covertly access data from other sites the victim is browsing, using side-channel techniques that exploit variables like timing and power consumption.

This method builds upon speculative execution, where CPUs execute instructions out of order to improve performance. Although speculative execution is designed to enhance efficiency, it can leave traces in the cache when predictions about program paths are incorrect, creating opportunities for data leakage.

iLeakage circumvents Apple’s security measures by employing a unique, timer-less approach that relies on race conditions to differentiate between cache hits and misses. This allows for unauthorized reads within Safari’s rendering process, posing a significant privacy risk. Despite the technical complexity of executing such an attack, it highlights ongoing concerns with hardware vulnerabilities.