New Safari Exploit Impacts Apple iPhones and Macs with A and M-Series CPUs

Oct 26, 2023NewsroomData Security / Vulnerability

iLeakage Vulnerability

A group of academics has developed a novel side-channel attack called iLeakage which exploits a vulnerability in A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser.

“An attacker can trigger Safari to create an arbitrary web page, then recover the sensitive information contained in it using speculative execution,” researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom SAYS in a new study.

In a practical attack scenario, the vulnerability could be exploited using a malicious web page to retrieve the contents of the Gmail inbox and even retrieve passwords autofilled by credential managers.

iLeakage, apart from being the first case of a Spectre-style speculative execution attack against Apple Silicon CPUs, also operates against all third-party web browsers available for iOS and iPadOS due to Apple’s App Store policy that directs browser vendors to use Safari’s WebKit engine.


Apple announced the findings on September 12, 2022. The flaw affects all Apple devices released from 2020 that are powered by Apple’s A-series and M-series ARM processors.

The core of the problem is rooted in the fact that malicious JavaScript and WebAssembly embedded in a web page in a browser tab can hide the contents of a target website when a victim visits the web page controlled by the attacker. – attack.

This is done through a microarchitectural side-channel which can be weaponized by a malicious actor to reveal sensitive information through other variables such as timing, power consumption, or electromagnetic emanations.

The side channel that forms the basis of the latest attack is a performance optimization mechanism in modern CPUs called speculative execution, which has been the target of several similar methods since Specter came to light in 2018. .

While speculative execution is designed as a way to provide a performance advantage by using extra processing cycles to execute program instructions in an out-of-order manner when encountering a conditional branch instruction whose direction depends on preceding instructions whose execution has not yet been completed.

The cornerstone of this technique is to make a prediction of the path the program will follow, and speculatively execute the instructions along the way. When the prediction is done correctly, the task is completed faster than it can be done by anyone else.

But if an incorrect prediction occurs, the results of the speculative execution are abandoned and the processor continues on the right path. As such, these incorrect predictions leave some traces in the cache.

Attacks like Spectre including prompting a CPU to speculatively perform operations that do not occur during the correct execution of the program and that leak the victim’s confidential information through a side channel.

In other words, by forcing CPUs to mis-guess sensitive instructions, the idea is to enable an attacker (via a rogue program) to access data that related to another program (ie, victim), which effectively breaks isolation protections.

iLeakage not only skips the hardening steps included by Apple, but also implements a timer-less and architecture-agnostic method that uses race conditions to distinguish individual cache hits from cache hits. fails when two processes — each related to the attacker and the target — run on the same CPU.


This gadget forms the basis of a hidden channel that eventually achieves an out-of-bounds reading anywhere in the address space of Safari’s rendering process, resulting in information leakage.

While the chances of this vulnerability being used in real-world attacks are unlikely due to the technical expertise required to exploit it, research highlights the continued threats posed by hardware vulnerabilities despite all the years.

The iLeakage news comes months after cybersecurity researchers revealed details of a trifecta of side-channel attacks – Collide + Power (CVE-2023-20583), Downfall (CVE-2022-40982) , and Inception (CVE-2023-20569) – which can be exploited to leak sensitive data from modern CPUs.

This also follows the discovery of RowPressa variant of the RowHammer attack on DRAM chips and an enhancement of BlackSmith that can be used on cause bitflips in adjacent rows, leading to data corruption or theft.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment