Mac and iPhone users beware — Apple processors can be exploited to steal sensitive information

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.
(Image credit: robert coolen/Shutterstock)

Even though researchers at the Georgia Institute of Technology and Ruhe University Bochum identified the ‘iLeakage’ side-channel vulnerabilities present in Apple's processors back in October 2023, and the company quickly found a way to mitigate those issues, these same researchers have now found two new vulnerabilities that act very similarly.

These new flaws, dubbed FLOP (False Load Output Prediction) and SLAP (Speculative Load Address Prediction), are CPU side-channel attacks that use speculative execution implementation to steal sensitive information from web browsers. Similar attacks were the underlying cause of Spectre and Meltdown in Intel's chips years ago. These new vulnerabilities are of particular concern both because they can be executed remotely without requiring any physical access to an Apple device and also because a potential victim would only need to visit a malicious website in order for their information to be leaked.

Both of these new vulnerabilities target features aimed at speeding up processing by guessing at future instructions. The speeding up can leave traces in memory which can be used to extract sensitive information. As explained by the researchers behind this new discovery to Bleeping Computer:

““Starting with the M2 and A15 generation, Apple’s CPUs attempt to predict the next memory address that will be accessed by the core. And starting with the M3 and A17 generation, they attempt to predict the data value that will be returned from memory. However, mispredictions in these mechanisms can result in arbitrary computations being performed on out-of-bounds data or wrong data values.”

In the case of FLOP, if the attempts to predict data is incorrect, attackers can exploit this to leak sensitive information. While the CPU remains in an incorrect state, it leaks data through a cache timing attack – during which the researchers were able to retrieve sender and subject information from a Proton Mail inbox, steal Google Maps location history and recover private events from an iCloud Calendar.

Using SLAP meanwhile, an attacker can ‘train’ a CPU to anticipate a specific memory access pattern and then manipulate it by abruptly altering the layout. This causes the CPU to read and process the sensitive data which allows the attack to exploit cache timing and other side channels to reconstruct it. This method has been used to retrieve Gmail inbox data, Amazon orders and browsing data and Reddit user activity.

While these new flaws were disclosed to Apple last year in March and September, and the company both acknowledged the proof of concept and planned to address the issue, they currently remain unmitigated. Apple has told BleepingComputer that they thank the researchers for their work, but “based on our analysis, we do not believe this issue poses an immediate risk to our users.”

Still though, it's always a good to keep your MacBook and other Apple devices up to date and running the latest software. Likewise, you should also be using one of the best Mac antivirus software solutions for extra protection from malware and other attacks.

More from Tom's Guide

TOPICS
Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

Read more
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
MacBook Pro 2021 (16-inch) on a patio table
Millions of Mac owners urged to be on alert for info-stealing malware
Latest in Online Security
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 20 (#648)
A phone with the Plex logo in front of an out-of-focus background of movie posters
Yikes! Plex is getting a price hike and this key feature is going behind a pay wall
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Sony A95K QD-OLED TV in front of windows in a living room
This new TV breakthrough looks like a game-changer for OLED TVs
Apple iPhone 16 & 16 Plus hands-on.
Forget USB-C — a truly portless iPhone just got the all-clear from the EU