Saying goodbye to October, cybersecurity month !
Throughout October, we have been exploring different aspects of cybersecurity and how to protect our information online. Now, it is crucial to address a recent concern affecting Apple devices: the iLeakage exploit. This side-channel attack allows hackers to extract data, including Gmail inbox, from Apple devices running iOS, iPadOS, and macOS.
Security researchers funded by the United States Air Force Office of Scientific Research and the Defense Advanced Research Projects Agency have revealed the details of this exploit. Dubbed iLeakage, this attack can be deployed on Apple devices manufactured from 2020 onwards with A and M series CPUs and targets the Safari browser and any other browser app on an iPhone or iPad.
The iLeakage exploit uses a technique called “speculative execution” to carry out attacks against Safari on macOS devices. However, it also works in any browser on iPhones and iPads since these devices are required to use Apple’s WebKit engine.
In their paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” the researchers reveal the magnitude of this exploit. A hacker could recover sensitive information by inducing Safari or another WebKit-based browser to render an arbitrary page. “In particular, we demonstrate how Safari allows a malicious web page to retrieve secrets from high-value targets,” the researchers reveal, including “the contents of the Gmail inbox.” Additionally, they also demonstrate exploits that can lead to “password recovery” auto-filled by password managers.
In the case of Gmail, a target would likely be logged into their personal Google account. “By having the event listener inside the attacker’s page run window. Open (gmail.com),” the researchers explain, “we can consolidate the target’s inbox view into the attacker’s address space. Then, we filter the contents of the target’s inbox.” Google has been contacted for a statement.
According to researchers, Apple was informed of the discovery of the iLeakage exploit on September 12, 2022. So far, the only mitigation by Apple is reserved for Safari on Macs. There is no mitigation available for iPhone or iPad users at this time.
However, an Apple spokesperson mentioned that “this proof of concept advances our understanding of these threats. We are aware of the issue, and it will be addressed in our next scheduled software release.“
Apple
To our knowledge, iLeakage exploits have not been used in practice. This is, in part, because the attack is significantly challenging to orchestrate from start to finish and requires advanced knowledge of browser-based side-channel attacks and Safari implementation. On the other hand, iLeakage does not leave traces of an attack in the system log files, although the attack web page could be found in the browser cache since it runs in Safari. Researchers have confirmed that it is “improbable” to detect an attack.
As we say goodbye to October, let us remember the importance of cybersecurity in our digital lives. Let’s keep our devices updated, use strong passwords, and stay tuned for the latest news and security mitigations.
Let’s continue to protect our privacy online!
