Safari Side-Channel Attack Enables Browser Theft
The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.
Side-channel attacks infer sensitive data from unintended signals such as timing, power use, or electromagnetic emissions, bypassing logical defenses.
Search across headline titles and summaries.
Background for this topic.
Side-channel attacks infer secrets from indirect physical or behavioral signals produced while a system operates, rather than from the intended output alone. Useful signals can include execution time, CPU-cache behavior, power use, electromagnetic emissions, or sound. In practice, attackers may measure many operations and use statistical analysis to recover cryptographic keys or distinguish sensitive data, especially when they can run code near a target or obtain physical access to a device.
The main concern is unintended information leakage from cryptographic libraries, processors, smart cards, mobile and embedded devices, and shared computing environments. Risk reduction includes constant-time implementations, masking or blinding that makes intermediate values less useful, limiting co-residency and access to high-resolution measurements, and shielding or filtering hardware where appropriate. Security testing should measure actual leakage rather than assume encryption alone prevents it; vulnerability management should also account for affected processor designs, libraries, and device models. Exposure and feasible attacker access determine whether a side channel is a practical threat.
The "iLeakage" attack affects all recent iPhone, iPad, and MacBook models, allowing attackers to peruse your Gmail inbox, steal your Instagram password, or scrutinize your YouTube history.
A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser
Academic researchers created a new speculative side-channel attack they named iLeakage that works on all recent Apple devices and can extract sensitive information from the Safari web browser. [...]