iPhone, iPad, and Mac models powered by Apple’s newer A-series and M-series chips have major security flaws that could let hackers steal users’ private information from Safari and Chrome, according to researchers (via Ars Technica).
Security researchers have found vulnerabilities in the CPUs of recent generations of Apple Silicon, leaving them open to two kinds of side-channel attacks that compromise sensitive data. The attacks, known as FLOP and SLAP, are possible due to Apple chips’ use of speculative execution.
Speculative execution is a performance optimization on newer Apple chips that makes them faster by predicting the control flow for programs. Exploiting it in a browser such as Safari or Chrome can give bad actors access to sensitive data such as emails, location history, and even credit card information.
FLOP is the more powerful of the two side-channel attacks. It exploits a form of speculative execution used by an Apple CPU’s load value predictor (LVP), allowing it to retrieve location history from Google Maps, glean the contents of a user’s Gmail or Protonmail inbox, or look at events stored in iCloud Calendar. FLOP works against both Safari and Chrome on devices with M3, M4, and A17 chips (or newer).
SLAP, meanwhile, targets a chip’s load address predictor (LAP). It is more limited than FLOP, only working against Safari and carrying some restrictions on targetable web pages. However, it can attack iPhones, iPads, and Macs with in-house Apple chips going all the way back to M2 and A15 (or newer).
Here’s a list of devices vulnerable to both exploits:
That essentially boils down to most of the iPhones, iPads, and Macs released in recent years. The FLOP and SLAP side-channel attacks were discovered by Jason Kim, Jalen Chuang, and Daniel Genkin from the Georgia Institute of Technology, alongside Yuval Yarom from Ruhr University Bochum.
“There are hardware and software measures to ensure that two open webpages are isolated from each other, preventing one of them from (maliciously) reading the other’s contents,” the researchers explained. “SLAP and FLOP break these protections, allowing attacker pages to read sensitive login-protected data from target webpages.”
The researchers noted they don’t know if other browsers such as Firefox are also affected since they weren’t tested in their study. They have also published academic papers on each attack. Their findings on FLOP are set to be presented at the 2025 USENIX Security Symposium, while their SLAP research will make an appearance at the 2025 IEEE Symposium on Security and Privacy.
The researchers provided possible steps to remedy the security flaws exposing Apple devices to FLOP and SLAP. According to them, Apple officials have already committed (privately) to patching the exploits.
Apple officially maintains that FLOP and SLAP aren’t immediate threats to its users. “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats,” a spokesperson for the tech giant told Ars Technica. “Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
