A team of academic researchers has disclosed the details of a new Spectre-style side-channel attack that exploits Safari to steal sensitive information from Mac, iPhones and iPads.
Described as a timerless speculative execution attack and named iLeakage, the new method can be used to induce Safari to render an arbitrary webpage and harvest information from that page.
The attacker needs to lure the targeted Safari user to a malicious website, which then automatically opens the site from which they want to steal information. This is possible because the rendering process handles both the iLeakage attack website and the targeted site.
iLeakage was discovered by researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum, who this week published a paper detailing their findings.
The experts showed how the attack could be used to obtain passwords and other sensitive information. They published video demos showing how the iLeakage attack can be leveraged to steal Instagram credentials autofilled by a password manager, email subject lines from a Gmail inbox, and a user’s YouTube watch history.
The findings were reported to Apple in September 2022, but the tech giant has so far only made available a mitigation for Safari on macOS, and it’s not enabled by default, in addition to being unstable, according to the researchers.
Apple told SecurityWeek that the proof of concept developed by the researchers advances the company’s understanding of these types of threats. Apple plans on further addressing the issue in its next scheduled software release.
On one hand, there is no evidence that iLeakage has been exploited in the wild and the attack is not easy to conduct. “[It] requires advanced knowledge of browser-based side-channel attacks and Safari’s implementation,” the researchers said.
On the other hand, the experts noted that the attack would be difficult to detect since it runs in Safari and does not leave any trace in system log files.
On macOS, iLeakage only impacts Safari because other browsers such as Edge, Firefox and Chrome use different JavaScript engines, the researchers said. However, on iOS the attack can work with other browsers as well because Chrome, Edge and Firefox are basically ‘wrappers on top of Safari’.
“iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery,” the researchers noted.
Related: Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack
Related: New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Related: New ‘Inception’ Side-Channel Attack Targets AMD Processors