Pierluigi Paganini October 26, 2023

Boffins devised a new iLeakage side-channel speculative execution attack exploits Safari to steal sensitive data from Macs, iPhones, and iPads.

A team of researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum has devised a transient side-channel speculative execution attack that exploits the Safari web browser to steal sensitive information from Macs, iPhones and iPad

iLeakage is a new Spectre-like side-channel attack, the researchers demonstrated that an attacker can induce Safari to render an arbitrary webpage, and then recovers sensitive information present within it using speculative execution. The technique can be used to recover secrets from popular high-value targets, including Gmail inbox content, and recover passwords auto filled by credential managers.

“Combining this with a new technique for consolidating websites from different domains into the same renderer process, we craft an end-to-end attack capable of extracting sensitive information (e.g., passwords, inbox content, locations, etc.) from popular services such as Google.” reads the paper published by the academic researchers. “Finally, we note that Safari / WebKit is the only browser engine permitted on iOS devices regardless of web browser app. This makes nearly all smartphone and tablet devices made by Apple susceptible to our attack.”

The researchers published a series of PoC videos for attacks to recover:

Instagram Credentials when a target uses an autofilling credential manager to sign into Instagram with Safari on macOS.

In another video, the researchers demonstrated the use of the iLeakage attack to recover Gmail Inbox Content when the target is signed into Google on Safari for iOS. The video shows how to recover the subject lines of the Gmail account’s most recent messages on an iPad.

In a third video PoC the researchers demonstrated how to recover YouTube watch history from the Chrome browser for iOS, which is a shell on top of Safari’s browsing engine due to Apple’s App Store policy.

The researchers disclosed the attack technique to Apple on September 12, 2022 (408 days before public release). Apple has released a mitigation for iLeakage in Safari, however it is not enabled by default, and it can be enabled only on macOS.

The researchers pointed out that iLeakage is difficult to detect, however the attack is not easy to conduct.

“iLeakage is highly unlikely to be detected, since the attack runs in Safari and does not leave traces in the system’s log files. However, traces of an attacker webpage hosting iLeakage may be present in the browser’s cache of pages it has recently visited.” concludes the researchers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)