A group of academic researchers has developed a speculative execution attack named “iLeakage” that can extract sensitive data, such as passwords and emails, on recent Apple devices via the Safari web browser.
iLeakage has been developed by a team of academics from Georgia Tech, the University of Michigan, and Ruhr University Bochum after extensive examination of Safari’s side-channel resilience. They have also published a paper and website warning users about the threat.
This attack is the first demonstration of a speculative execution attack against Apple Silicon CPUs and the Safari browser. The vulnerability affects Macs and iPhones from 2020 and onwards that were built with Apple’s Arm-based A-series and M-series chips.
The researchers created a proof-of-concept exploit implementing iLeakage as a malicious website that can exploit a side-channel vulnerability in Apple native silicon (A-series and M-series CPUs) running iOS and macOS devices, allowing data leakage.
They achieved this by abusing Safari’s site isolation policy, demonstrating a new technique that allows the attacker page to share the address space with arbitrary victim pages by opening them using the JavaScript window.open API.
By constructing in-browser eviction sets and side-stepping Safari’s timer mitigations, the researchers were able to finally bypass Apple’s compressed 35-bit addressing and value poisoning countermeasures using speculative type confusion, thereby allowing the researchers to leak sensitive data, such as passwords and emails, from a targeted Mac or iPhone.
“Thus, we created an attacker page that binds window.open to an onmouseover event listener, allowing us to open any web page in our address space whenever the target has their mouse cursor on the page,” the team’s research paper says.
“We note that even if the target closes the opened page, the contents in memory are not scrubbed immediately, allowing our attack to continue disclosing secrets.”
The iLeakage attack is executed using JavaScript and WebAssembly, the two programming languages for delivering dynamic web content.
As showcased in demo videos (1)(2)(3), the researchers were able to recover Gmail messages in Safari running an iPad and an Instagram test account password that was auto-filled in the Safari web browser using the LastPass password management service, as well as the YouTube watch history from Chrome for iOS.
“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers wrote on an informational website.
“In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are auto-filled by credential managers.”
According to the researchers, the flaw has the potential to affect all browsers on iOS due to Apple’s policy that requires all third-party iOS browsers to use its WebKit engine. Thankfully, this speculative execution attack requires a high level of technical knowledge, which is why it doesn’t appeal to cyber criminals.
Apple was notified about the vulnerability by the researchers on September 12, 2022. Since then, the company has only implemented a manual mitigation method for macOS to protect the users, the team says. Also, the mitigation works against Macs only when running Safari.
Apple says it is aware of the vulnerability and assures of a more permanent fix that will be included in a future software release. You can visit the iLeakage page for instructions on how to activate the mitigation.
“When Apple pushes the mitigation to production, we expect it to completely protect users from our attack,” added Jason Kim, a PhD student at Georgia Tech, who worked on the team.
“We have not heard from Apple on how their mitigation affects their browser performance benchmarks, or when the mitigations will be deployed to customers.”