Two Flaws In Apple's A- And M-Series Chips Could Leak Personal Data From Chrome And Safari

Apple's A- and M-series chips, powering its latest devices, have been found to harbor critical vulnerabilities that could leak sensitive user data such as credit card details, location history, and private communications.

Researchers Yuval Yarom from Ruhr University Bochum in Germany, along with Daniel Genkin, Jalen Chuang, and Jason Kim from the Georgia Institute of Technology in the US, released papers detailing two new speculative-execution attacks called SLAP and FLOP.

These flaws, discovered in recent generations of Apple Silicon, exploit side-channel attacks to access information from browsers like Chrome and Safari.

This has been illustrated to arise due to Apple's newest chips using speculative execution, a performance feature in which chips execute instructions ahead of time so the CPU can run code before it's actually requested. Even though this results in faster processing, the newest Apple chips predict not just control flow but also memory data, which makes things open to hackers who will exploit these predictions for malicious purposes.

The more dangerous of the two attacks is known as FLOP or Forward Load Operation Prediction. This flaw attacks the Load Value Predictor which predicts the memory address contents when data is not otherwise available. An attacker can break the access controls placed on memory by the system by providing the LVP with values that are malformed. This allows attackers to steal sensitive information, including a user's Google Maps location history or private events stored in iCloud Calendar.

The second attack, named SLAP (Speculative Load Address Prediction), abuses the Load Address Predictor (LAP). While LVP predicts data values, LAP predicts the addresses where data will be accessed in the memory. SLAP works by forcing the LAP to make wrong predictions about memory locations, thereby allowing malicious websites to steal sensitive information from other open tabs. For instance, an attacker might read private e-mail content from a website, say Gmail, when another tab of Safari is open to an attacker's site.

Although both attacks target speculative execution, FLOP is more powerful in the sense that one can access any memory address in the browser's address space; more importantly, both Safari and Chrome are affected. In contrast, SLAP can only access adjacent memory strings, and its impact is solely on Safari.

The bugs affect a myriad of Apple products that include all MacBook laptops from 2022 till date, desktop Macs starting from 2023, iPads from 2021 and the iPhones from 2021. All these can be vulnerable to one or two types of attacks where user privacy would be compromised with popular websites, such as Proton Mail or iCloud.

Apple quickly acknowledged the threat and said, "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users."