Critical Flaws in Apple CPUs Let Hackers Steal Your Browser Data

Critical Flaws in Apple CPUs Let Hackers Steal Your Browser Data

Apple Processors Face New Security Vulnerabilities: FLOP and SLAP Attacks Revealed

Security researchers from Georgia Institute of Technology and Ruhr University Bochum have uncovered two significant vulnerabilities in modern Apple processors, dubbed FLOP and SLAP. These side-channel attacks exploit flaws in speculative execution implementation, similar to previous Spectre and Meltdown vulnerabilities.

FLOP (False Load Output Prediction)
– Affects Apple M3, M4, and A17 processors
– Exploits CPU’s Load Value Prediction feature
– Can leak sensitive data through cache timing attacks
– Demonstrated ability to:
* Escape Safari’s sandbox
* Access Proton Mail inbox data
* Retrieve Google Maps location history
* Extract iCloud Calendar events

SLAP (Speculative Load Address Prediction)
– Impacts Apple M2, A15, and newer processors
– Exploits Load Address Prediction mechanism
– Allows attackers to access unauthorized memory addresses
– Successfully demonstrated extraction of:
* Gmail inbox contents
* Amazon order history
* Reddit user activity

Security Implications:
– Attacks can be executed remotely through malicious websites
– No physical access or malware installation required
– Bypasses browser sandboxing and memory protections
– Exploitable through JavaScript or WebAssembly code

Current Status:
– Vulnerabilities disclosed to Apple (SLAP: March 24, 2024; FLOP: September 3, 2024)
– Apple acknowledges the issues but considers them non-immediate risks
– No patches currently available
– Temporary mitigation: Disable JavaScript in Safari and Chrome

Share This Article