New iLeakage attack can steal your emails and passwords on iPhone and Mac — how to stay safe

You should reconsider your assumption that hackers couldn’t access your Mac or iPhone. A new attack technique created by academic researchers can be used to steal confidential information from anyone using Safari on an Apple device.

According to BleepingComputer, a group of researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum have dubbed this new side-channel assault iLeakage. This technique can be used to take emails, passwords, and other sensitive information directly from Safari on a susceptible Apple device. But it also functions on iOS with Firefox, Tor, and Edge.

The fact that iLeakage impacts the greatest MacBooks and iPhones using Apple Silicon is what makes it more concerning. Thus, more recent Macs running M1,M2 and potentially even Apple’s upcoming M3 chips are impacted.

Despite being created by academic researchers and having many parallels to the Spectre attacks of 2018, which target Intel CPUs, hackers aren’t currently using iLeakage in live attacks. But now that we are aware of Apple Silicon’s susceptibility to this kind of assault, hackers might build their own version of iLeakage or invent a related attack technique later on.

Stealing emails and passwords from Apple devices

Since iLeakage is a new attack technique, it is rather complex. The study paper (PDF) that the development team wrote contains all of the information.

In essence, the attack uses speculative execution to extract sensitive data from an arbitrary webpage that is rendered by Safari. By getting around Apple’s side-channel safeguards in Safari, which include value poisoning, compressed 35-bit addressing, and a low-resolution timer, the researchers were able to do this.

In order to get over these limitations, they also used speculative type confusion, which gave them access to private information from a targeted page, including passwords and emails. The researchers demonstrated in a series of YouTube videos (Demo 1, Demo 2, Demo 3) how they might use LastPass to automatically fill in an Instagram test account’s password and extract Gmail messages. They then went one step further and showed how iLeakage attacks could be carried out on Chrome for iOS. This is made feasible by Apple policy, which mandates that all thirdparty iOS browsers must function as overlays over Safari, which runs on top of its JavaScript engine.

While Apple has yet to formally comment on these new iLeakage attacks, in an email to Tom’s Guide, an Apple spokesperson revealed the company is aware of the issue and that it will be addressed in its next scheduled software release.

How to stay safe from iLeakage 

iLeakage affects any Apple devices released after 2020 that feature the company’s A-Series or M-Series ARM CPUs. You might be asking what you can do to stay safe because this attack is virtually undetectable because it doesn’t leave any evidence on the devices of its victims.

Thankfully, Apple was informed in private by the iLeakage researchers about this new vulnerability in September of last year, and macOS mitigations were created. It’s important to note that the researchers claim that this attack is challenging to execute because it requires a deep understanding of browser-based side-channel assaults and the implementation of Safari. However, if you’re concerned, if you’re using macOS Ventura 13.0, here are some precautions you can do to keep your Mac safe.

Start your Mac by opening Terminal and typing “defaults write”To activate the hidden debug menu in Safari, type “Safari IncludeInternalDebugMenu 1”. The “WebKit Internal Features” setting can now be accessed via the Debug menu that appears when you launch Safari. You have to enable “Swap Processes on Cross-Site Window Open” while navigating this menu. Although this will keep you safe, it might cause your Mac to become unresponsive. You might want to wait for Apple to formally address iLeakage in its next major software update before doing this, for this reason.

Installing the best Mac antivirus software is something you should think about doing as well as safeguarding your computer from viruses and malware. Similarly, Intego Mac Premium Bundle X9 and Intego Mac Internet Security X9 can check your iPad or iPhone for malware, but they require a USB cable to be plugged into your Mac in order to do so.

In contrast to the zero-day vulnerabilities that hackers frequently employ in their assaults, iLeakage is a proof of concept that demonstrates Apple Silicon’s susceptibility to side-channel attacks, much like processors from Intel, AMD, and other semiconductor manufacturers. Further information may become available in the future, but not until an iLeakage patch is released, and even then, Apple has a history of manipulating events.

2 thoughts on “New iLeakage attack can steal your emails and passwords on iPhone and Mac — how to stay safe”

  1. Here, I’ve read some really great content. It’s definitely worth bookmarking for future visits. I’m curious about the amount of work you put into creating such a top-notch educational website.


Leave a Comment