Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security IT

Hackers Can Force iOS and macOS Browsers To Divulge Passwords (arstechnica.com) 29

Posted by msmash from the security-woes dept.
Researchers have devised an attack that forces Apple's Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices. From a report: iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a wide corpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers -- primarily Intel and, to a lesser extent, AMD -- scrambling to devise mitigations.

The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker's choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox -- when a target is logged in -- and a password as it's being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.
This discussion has been archived. No new comments can be posted.

Hackers Can Force iOS and macOS Browsers To Divulge Passwords More

Hackers Can Force iOS and macOS Browsers To Divulge Passwords

Comments Filter:
  • I'm the first to dismiss many exploit notifications as impractical, hard to exploit and unlikely to be seen in the wild before patching. Plenty of exploits some bug bounty hacker labels critical are often low or medium. In this case though, it seems like this is a serious, critical exploit that can easily be exploited with a malicious link or even malvertising. This is one to patch ASAP (not yet possible) on vulnerable Mac endpoints.

    • Re:Ok that's a CRITICAL (Score:5, Funny)

      by bill_mcgonigle ( 4333 ) * on Wednesday October 25, 2023 @05:30PM (#63954245) Homepage Journal

      Just switch to a browser using a different rendering engine on iOS until it's patched?

      Oh...

    • Re:Ok that's a CRITICAL (Score:4, Informative)

      by Shakrai ( 717556 ) on Wednesday October 25, 2023 @05:50PM (#63954303) Journal

      It's probably not that critical if TFA is to be believed:

      iLeakage is a practical attack that requires only minimal physical resources to carry out. The biggest challenge—and it’s considerable—is the high caliber of technical expertise required. An attacker needs to not only have years of experience exploiting speculative execution vulnerabilities in general but also have fully reverse-engineered A- and M-series chips to gain insights into the side channel they contain. There’s no indication that this vulnerability has ever been discovered before, let alone actively exploited in the wild.

      That means the chances of this vulnerability being used in real-world attacks anytime soon are slim, if not next to zero. It’s likely that Apple’s scheduled fix will be in place long before an iLeakage-style attack site does become viable.

      This sounds like something a nation state might be able to pull off, so, not something you or I likely need to worry about before it gets patched. It is a decent segue into my first question, is this achievable with Lockdown Mode [apple.com] enabled? Here is the actual research paper [ileakage.com], instead of some ad infested clickbait summary of it. I will be reading this in full later tonight and would encourage everyone else to do the same. It looks fascinating; I wish I could digest it right now.

      A quick search does not find the word "lockdown" in there, which is strange, someone who knows this much about the Apple platform would presumably have tested for that, and the omission might speak volumes. Maybe it does and they don't want to advertise it? Lockdown Mode disables a goodly portion of WebKit, it would be nice to know if that's an effective remediation for folks that might have a nation-state target on their back.

      My other question, did they submit this through Apple's bug bounty or just publish it? This would be worth $5,000 to $2,000,000 [apple.com] depending on the particulars and how Apple values it. My guess, from the detail in their paper, this would be on the high end, minimum $150,000. $2,000,000 if it does bypass Lockdown Mode.

      • Sounds like it will be a while before a threat actor can use it, but still it's been known to these researchers for a while apparently. Apparently they added a FAQ, which does not address Lockdown Mode (hanging question for me as well...I don't know if lockdown modes disabling of JIT is enough to defeat this JavaScript based attack) at https://ileakage.com/ [ileakage.com] . Apparently they notified Apple more than a year ago, and the status is:

        At the time of public release, Apple has implemented a mitigation for iLeakage in Safari. However, this mitigation is not enabled by default, and enabling it is possible only on macOS.

        So it looks like a hard to patch bug..and whenever a real patch does come ar

  • Hacker: YOU'RE DAMN RIGHT!

  • A tearful name (Score:5, Funny)

    by billybob2001 ( 234675 ) on Wednesday October 25, 2023 @05:49PM (#63954297)

    That name though, "iLeakage"

    Makes me WANNACRY

  • My browsers ... (Score:3)

    by PPH ( 736903 ) on Wednesday October 25, 2023 @06:07PM (#63954343)

    ... don't know my passwords. You can beat them with a wrench [xkcd.com] all you want. They ain't talking.

    • Re: (Score:2)

      by XanC ( 644172 )

      Your browser knows them when you enter them, though.

      • Re: (Score:2)

        by PPH ( 736903 )

        TFS describes this as an attack against credential managers. Specifically, "a password as it's being autofilled by a credential manager".

    • ... don't know my passwords. You can beat them with a wrench [xkcd.com] all you want. They ain't talking.

      This isn't limited to the default Safari + Keychain. Their demo shows it working when the passwords are in LastPass.

      However - based on their FAQ - this apparently only works if you have your credential manager autofilling login fields without any interaction from you - which I don't think is the default setup for any of the third-party ones at least.

  • My personal Mac has an Intel processor!

  • It has nothing to do with iOS or macOS (Score:5, Interesting)

    by juancn ( 596002 ) on Wednesday October 25, 2023 @08:15PM (#63954599) Homepage
    It's a CPU bug, much like Spectre, it's perfectly exploitable on Linux or Windows for ARM which makes it much worse.

    It wouldn't surprise me that other ARM core implementations can be exploited this way, but it's too soon to tell.

Slashdot Top Deals

Elliptic paraboloids for sale.

Close