TL;DR: Researchers at the Georgia Institute of Technology have developed a side-channel exploit for A- and M-series Apple chips running macOS and iOS. The attack, cleverly dubbed iLeakage, can force Safari and other browsers to reveal Gmail messages, passwords, and other sensitive and private information.

iLeakage works similarly to the Spectre and Meltdown exploits that gave chip manufacturers so much trouble in 2018. The attack leverages the speculative execution feature of modern processors to gain access to information that would normally be hidden.

The method Georgia Tech developed is not a simple matter. While it doesn’t require specialized equipment, the attacker must have a decent knowledge of reverse engineering Apple hardware and side-channel exploits. It also involves creating a malicious website that uses JavaScript to covertly open another webpage, Gmail, for example, to scrape data into a separate popup window on the hacker’s computer. It’s not a hack that script kiddies could execute.

The technique can reveal the contents of an email so long as the user is logged into Gmail (masthead video). It can also grab credentials if the victim uses a password manager’s auto-fill function (above). Theoretically, the exploit could show the hacker practically anything that goes through the processor’s speculative execution pipe. Below they demo how it can access a target’s YouTube history.

iLeakage utilizes WebKit, so it only works with Safari on Macs with an M-series chip (2020 or later). However, any browser on recent iPhones or iPads is vulnerable since Apple requires developers to use its browser engine on those operating systems. It is unclear if the method could be tweaked to use non-WebKit browsers in macOS.

Although there is no CVE tracking designator, Georgia Tech notified Apple of the security issue on September 12, 2022. Cupertino developers are still working on fully mitigating it. At the time of public disclosure, Apple had patched the vulnerability in macOS, but it’s not on by default and is considered “unstable.” The researchers listed steps to enable the unperfected patch under “How can I defend against iLeakage?” Users should be familiar with Terminal and need full disk access before proceeding.

Currently, the only preventative measure for iPhones and iPads is to put them into lockdown mode. Of course, that also significantly limits the functionality of iOS and iPadOS. Alternatively, users can disable JavaScript if they don’t mind some websites not rendering correctly.

There is no evidence that bad actors have used iLeakage’s method in the wild. However, now that public disclosure has occurred, users should implement available mitigation methods and be mindful of the sites they visit.