Researchers find Specter-like flaw in Safari that could reveal passwords
Researchers have discovered a flaw in Apple’s Safari web browser that could allow hackers to perform a Spectre-like attack by exploiting the speculative execution feature of Apple chips. This allows attackers to obtain login details of iOS and MacOS users, among other things.
The vulnerability, which the researchers Call iLeakage, would affect iPhones, iPads and iMacs released from 2020 onwards that contain Apple’s Arm-based A or M chip. The flaw allows hackers to exploit the speculative execution feature. This function is found in some SoCs and allows the chips to perform certain calculations before they are needed. This often makes the CPUs faster, but it also causes certain calculations to be leaked to the buffer cache. The leak allows hackers to read the leaked data from the cache.
Speculative execution is also central to, among other things, the Specter and Meltdown leaks that were discovered six years ago. Since then, browsers have implemented measures to prevent such attacks as much as possible, but it now appears for the first time that speculative execution attacks can also be carried out with Apple chips and via the Safari browser.
If attackers manage to lure users to a malicious website via the Safari browser, they can intercept sensitive data from the browser. The attackers can see the user data of the website they are currently visiting, but the data from the previous site remains for some time after leaving that site. Via the malicious website, attackers can therefore link users to a website from which they can intercept the data. For example, the researchers managed to use a proof-of-concept attack to view a Gmail inbox or YouTube viewing history. If the Safari browser automatically fills in the login information for these sites, the hackers can steal that info as well.
The research team does not know whether this attack has ever actually been exploited. The attack would leave few traces and is therefore virtually undetectable. The team does state that carrying out this attack requires a lot of technical knowledge. The rogue site also needs five minutes to profile visitors. If users leave the website immediately after visiting, they will most likely escape the dance. The researchers say they already informed Apple about the existence of the leak a year ago, but so far it has not been fixed. To PCMag however, let the tech company know that this leak will be fixed in the next software release.
The research team demonstrates how the vulnerability can be used to read the Gmail inbox.