Apple-designed chips in Macs, iPhones, and iPads exhibit two newly identified vulnerabilities that expose credit card information, geolocation, and other personal data from the Chrome and Safari browsers when accessing websites like iCloud Calendar, Google Maps, and Proton Mail.
The Georgia Institute of Technology along with Ruhr University Bochum researchers discovered two important security flaws which affect Apple’s A- and M-series chips built into devices released after 2021. Unauthorized individuals can remotely access sensitive user information including credit card details and location history plus emails and calendar events through FLOP and SLAP side-channel vulnerabilities.
The exploited vulnerabilities derive from a performance enhancement method called speculative execution which aims to increase processing speed through predictions related to data and control flow analysis. The two identified side-channel attacks operate as follows:
The researchers confirmed that the following Apple devices are vulnerable to one or both attacks:
Remote attackers have access to sensitive data from Safari and Chrome users who are viewing iCloud Calendar, Google Maps, Gmail, and Proton Mail websites without requiring authentication. Unauthorized access to email accounts and financial data, combined with real-time location tracking, provides a huge privacy danger exposure.
Security experts privately revealed these vulnerabilities to Apple, who later verified receipt of the material. Despite Apple’s conclusion that these security flaws pose no immediate threat, they have confirmed plans to release updates as a preventative measure against potential future exploitation. In the meantime, security experts recommend users adopt precautionary measures, such as limiting the use of sensitive applications on affected devices and keeping software updated.