Safari Side-Channel Attack Enables Browser Theft

Researchers have developed a side-channel exploit for Apple CPUs, enabling sophisticated attackers to extract sensitive information from browsers.

Side-channel attacks are usually overlooked, often physical counterparts to traditional software hacks. Rather than an unsecured password or a vulnerability in a program, they take advantage of the extra information a computer system or hardware generates — in the form of sound, light, or electromagnetic radiation, for example, or in the time it takes to complete certain computations (a timing attack).

On Wednesday, four researchers — including two of those responsible for uncovering the Spectre processor vulnerability back in 2018 — published the details of such an attack, which they’ve named “iLeakage,” affecting all recent iPhone, iPad, and MacBook models.

The researchers informed Apple of their findings on Sept. 12, 2022, according to their website, and the company has since developed a mitigation. However, it’s still considered unstable, it’s not enabled on devices by default, and mitigating is only possible on Macs, not mobile devices.

In comments provided to Dark Reading on background, an Apple spokesperson wrote, “This proof of concept advances our understanding of these types of threats. We are aware of the issue and it will be addressed in our next scheduled software release.”

How iLeakage Works

iLeakage takes advantage of A- and M-series Apple silicon CPUs’ capacity to perform speculative execution.

Speculative execution is a method by which modern CPUs predict tasks before they’re even prompted, in order to speed up information processing. “This technique has been around for over 20 years, and today all modern CPUs use it — it significantly speeds up processing, even accounting for times it might get the anticipated instructions wrong,” explains John Gallagher, vice president of Viakoo Labs.

The rub is that “cache inside the CPU holds a lot of valuable data, including what might be staged for upcoming instructions. iLeakage uses the Apple WebKit capabilities inside a browser to use JavaScript to gain access to those contents.”

Specifically, the researchers used a new speculation-based gadget to read the contents of another webpage when a victim clicked on their malicious webpage.

“Alone, WebKit would not enable the cache contents to be divulged, nor would how A-Series and M-Series perform speculative execution — it’s the combination of the two together that leads to this exploit,” Gallagher explains.

A Successor to Meltdown/Spectre

“This builds on a line of attacks against CPU vulnerabilities that started around 2017 with Meltdown and Spectre,” Lionel Litty, chief security architect at Menlo Security points out. “High level, you want to think about applications and processes, and trust that the operating system with help from the hardware is properly isolating these from one another,” but those two exploits broke the fundamental isolation between different applications, and an application and operating system, that we tend to take for granted as users, he says.

iLeakage, then, is a spiritual successor that focuses on breaking the isolation between browser tabs.

The good news is, in their website’s FAQ section, the researchers described iLeakage as “a significantly difficult attack to orchestrate end-to-end,” which “requires advanced knowledge of browser-based side-channel attacks and Safari’s implementation.” They also noted that successful exploitation hasn’t been demonstrated in the wild.

Were a capable enough attacker to come along and try it, however, this method is powerful enough to siphon just about any data users traffic online: logins, search histories, credit card details, what have you. In YouTube videos, the researchers demonstrated how their exploit could expose victims’ Gmail inboxes, their YouTube watch histories, and their Instagram passwords, as just a few examples.

iPhone Users Are Especially Affected

Though it takes advantage of the idiosyncrasies in Safari’s JavaScript engine specifically, iLeakage affects all browsers on iOS, because Apple’s policies force all iPhone browser apps to use Safari’s engine.

“Chrome, Firefox and Edge on iOS are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage,” the researchers explained.

iPhone users are doubly in trouble, because the best fix Apple has released thus far only works on MacBooks (and, for that matter, only in an unstable state). But for his part, Gallagher backs Apple’s ability to design an effective remediation.

“Chip-level vulnerabilities are typically hard to patch, which is why it is not surprising that there is not a fix for this right now. It will take time, but ultimately if this becomes a real exploited vulnerability a patch will likely be available,” he says.