Apple Vulnerability Can Expose iOS and macOS Passwords, Safari Browsing History
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.
Apple Vulnerability Can Expose iOS and macOS Passwords, Safari Browsing History
Your email has been sent
This Safari vulnerability has not been exploited in the wild. Apple offers a mitigation, but the fix needs to be enabled manually.
Security researchers from three universities have discovered a major vulnerability in Apple’s iOS and macOS, including the Safari browser. The vulnerability, which the researchers named iLeakage, enables threat actors to read Gmail messages, reveal passwords and uncover other personal information.
The vulnerability affects macOS or iOS devices running on Apple’s A-series or M-series CPUs, which include all modern iPhones and iPads, and laptops or desktops released since 2020. Macs can only be attacked when using Safari, but mobile devices are vulnerable when using any browser.
The researchers disclosed their findings to Apple on Sept. 12, 2022, and made the findings, as well as a research paper, public on Oct. 25, 2023. The iLeakage vulnerability has not yet been exploited in the wild as of October 27.
Jump to:
The iLeakage takes advantage of a transient execution side channel, which is a performance optimization feature of modern CPUs. The particular side channel involved here is speculative execution, which can be vulnerable to a hardware hack known as Spectre. Attackers can detect traces of speculative execution in CPUs, particularly the cache. Attackers can force the CPU to speculatively execute the wrong flow of instructions. Then, the attackers can read sensitive data contained in the resulting side channel (Figure A).
Figure A
The researchers who discovered the vulnerability are Jason Kim and Daniel Genkin of the Georgia Institute of Technology, Stephan van Schaik of the University of Michigan and Yuval Yarom of Ruhr University Bochum.
“Code running in one web browser tab should be isolated and not be able to infer anything about other tabs that a user has open,” the researchers wrote on their website about iLeakage. “However, with iLeakage, malicious JavaScript and WebAssembly can read the content of a target webpage when a target visits and clicks on an attacker’s webpage. This content includes personal information, passwords or credit card information.”
The researchers demonstrated iLeakage by setting up a website that opens up a hidden window on the target’s machine.
The researchers speculate that this vulnerability has not been found in the wild because it’s difficult to orchestrate, requiring detailed knowledge of Safari and of browser-based side channel attacks. However, iLeakage is important to know about because of its novel approach and because the number of devices potentially open to exploitation through iLeakage is so high.
TechRepublic has reached out to the researchers for more information.
SEE: Everything you need to know about Apple’s iOS 17 (TechRepublic)
Apple has enabled a mitigation for iLeakage in macOS Ventura 13.0 and newer releases, but it takes some work to find it. To activate the mitigation, follow the instructions posted on the iLeakage site under “How can I defend against iLeakage?” to access Safari’s debugging menu. From there, you can find WebKit’s internal features and an option to disable swap processes on cross-site window openings, which prevents the iLeakage exploit from working.
Also, entering Lockdown Mode or disabling JavaScript prevents the iLeakage exploit from working, but doing so may cause some of Safari’s features not to work.
iLeakage can be hard to trace because it doesn’t appear in the system’s log files, the researchers said; instead, iLeakage resides entirely within Safari. Some evidence of the attacker website hosting iLeakage may be visible in Safari’s browser cache of recently visited pages if an attack has already taken place, the researchers said.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Apple Vulnerability Can Expose iOS and macOS Passwords, Safari Browsing History
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Data without an associated backup is only as reliable as the system upon which it is stored — and every system has a finite lifespan or may be susceptible to malware or hacking efforts. This policy from TechRepublic Premium provides guidelines for reliable and secure backups of end user data. It outlines the responsibilities of …
Regardless of what business or what industry you are in, the potential benefits of cloud computing and cloud computing services are self-evident. Whether you just need some basic off-premises storage or run your entire enterprise from the cloud, the benefits of scalability, convenience, predictability, availability and reliability are always just a few clicks away, or …
As the digital age continues to progress, advertising techniques have transformed to stay aligned with the intense growth of the internet and its marketing opportunities. Many industries have taken advantage of the online digital landscape to communicate their messages and attract the attention of potential consumers through their websites. But with so many businesses flooding …
To make their best decisions, businesses need the best actionable information. Acquiring that information requires the sifting, sorting and manipulation of data — lots and lots of data. But data does not just happen. It must be designed, molded and drawn out of what is essentially chaos. Recruiting a data architect with the right combination …
source
