Security researchers have disclosed two alarming new vulnerabilities affecting Apple devices, possibly enabling the remote theft of sensitive data from web browsers. Impacting Macintosh computers and iOS devices alike, these vulnerabilities, dubbed FLOP and SLAP, represent significant threats to users relying on popular internet browsers.
According to reports from Bleeping Computer, the vulnerabilities can affect devices running on Apple chips from as early as 2021. They can be exploited by attackers remotely, without needing physical access to devices—a potent threat, especially for users accessing sensitive services such as Gmail and iCloud.
Researchers at the Georgia Institute of Technology and Ruhr University Bochum, namely Jason Kim, Jalen Chuang, Daniel Genkin, and Yuval Yarom, explained how these attacks exploit side-channel vulnerabilities inherent to the Apple silicon architecture. The findings suggest these problems stem from processor speculative execution, a technique commonly used to improve processing speed by anticipating future instructions. Unfortunately, these anticipatory guesses can create vulnerable memory traces susceptible to malicious actors.
“There are hardware and software measures to isolate open web pages, preventing one from reading the other's contents,” the researchers noted. “SLAP and FLOP break these protections, allowing attacker pages to read sensitive, login-protected data from target web pages.”
The list of devices affected by this newly discovered vulnerability is extensive. It includes various models of Mac laptops released from 2022 to the present, such as the MacBook Air and MacBook Pro, alongside Mac desktops like the Mac Mini, iMac, Mac Studio, and Mac Pro from 2023 onwards. The iPad lineup is also impacted, including the Pro, Air, and Mini models released from September 2021, along with iPhones from the 13, 14, 15, and 16 series, as well as the 3rd generation of SE models.
With digital security becoming increasingly precarious, the fact such vulnerabilities can be exploited remotely amplifies the concern surrounding user data protection on Apple devices, particularly for professionals and individuals dealing with confidential information.
While the researchers emphasized the severity of these vulnerabilities, they also noted the need for the implementation of software vendor patches to mitigate risks. To date, Apple has communicated plans to address these vulnerabilities, promising security updates ahead. Until a fix is released, users may be left vulnerable to these newly emerged attack methods.
“We want to thank the researchers for their collaboration as this proof of concept advances our... analysis, we do not believe this issue poses an immediate risk to our users,” remarked an Apple spokesperson. This statement attempts to assuage fears but highlights the importance of remaining vigilant as tech giants navigate the challenges of cybersecurity.
To mitigate the risk posed by FLOP and SLAP, users can practice cybersecurity best practices, such as regular updates, cautious browsing habits, and the use of security tools. While users await Apple’s upcoming updates, the disclosure of these vulnerabilities serves as a stark reminder of the constant evolution of cyber threats and the necessity for enhanced security measures across all devices.