The attack exploits a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices. This is highly amusing because the A- and M-series CPUs are being touted as a cure for cancer by the Tame Apple Press with all sorts of bizarre performance claims made for them.
Dubbed iLeakage, the attack requires minimal resources, although you need to know a bit about Apple hardware and side channel vulnerabilities.
In this case, the side channel attack is speculative execution, a performance enhancement feature in modern CPUs. The endless stream of exploit variants has left chip makers—primarily Intel and, to a lesser extent, AMD—scrambling to devise mitigations. Some of these have left chips slower, and since it thought it did not need to do them, Apple might have claimed better performance.
The researchers implemented iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to open a separate website of the attacker’s choice and recover site content rendered in a pop-up window.
The researchers have successfully used iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as a credential manager is auto-filling it. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.
“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers wrote on an informational website. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are auto-filled by credential managers.”
An Apple representative said the company knows the vulnerability and plans to address it in an upcoming software release. However, it is unclear if this will result in Apple chips slowing down to match others who have faced this attack.