Serious Apple CPU Flaw Discovered—iPhone & Mac Data at Risk

Security researchers have discovered two critical vulnerabilities in Apple devices that could allow hackers to steal sensitive data through web browsers. These flaws, known as FLOP (Breaking the Apple M3 CPU via False Load Output Predictions) and SLAP (Data Speculation Attacks via Load Address Prediction on Apple Silicon), affect Macs, iPhones, and iPads dating back to 2021. Even more concerning, these attacks can be executed remotely, meaning hackers don’t need physical access to exploit them.

The vulnerabilities stem from speculative execution, a feature in Apple’s processors that guesses future tasks to speed up performance. Unfortunately, these predictions leave traces in memory, which attackers can manipulate to extract private data. FLOP and SLAP specifically exploit how Apple’s M-series and A-series chips predict memory operations.

FLOP, which affects newer processors (M3, M4, and A17), focuses on the CPU’s attempt to predict stored values. SLAP, which impacts M2, A15, and later models, targets the prediction of memory addresses. By manipulating these processes, hackers can steal data before the CPU realizes the error and corrects itself.

Fig 1. Data leaked via FLOP Source: flop.fail

How These Attacks Work and What’s at Risk

Hackers can exploit FLOP and SLAP by embedding malicious JavaScript or WebAssembly code into a website. If a user visits an infected page, the attack can be triggered without requiring any downloads or suspicious actions. This makes it particularly dangerous, as victims may have no idea their data is being accessed.

Once triggered, the attack can leak sensitive information from web browsers like Safari and Chrome. This includes:

• Emails from services like Gmail and ProtonMail
• iCloud data, such as calendar events and location history
• Amazon order history and browsing activity
• Reddit user activity and other private interactions

Unlike traditional malware, this method bypasses many built-in security protections, including browser sandboxing and Address Space Layout Randomization (ASLR). This means even users following standard security best practices could still be at risk simply by browsing the web.

What Apple Users Should Do

Researchers disclosed these vulnerabilities to Apple in 2024. While Apple has acknowledged them, no fix has been released yet. The company has stated that it does not believe FLOP and SLAP pose an immediate risk, but cybersecurity experts warn that the threat is serious.

Until an official security patch is available, users can take steps to minimize their exposure:

• Disable JavaScript in Safari and Chrome (note this may cause issues with some websites).
• Keep all software updated and install any security updates as soon as they are released.
• Be cautious of unfamiliar websites, as malicious scripts can be hidden in seemingly normal web pages.

With no fix currently available, staying informed and implementing these protective measures is the best way to reduce risk. Apple users should remain alert for security updates and apply them as soon as they are released.