Hackers Can Force iOS and macOS Browsers To Divulge Passwords (arstechnica.com) 29
Researchers have devised an attack that forces Apple's Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices. From a report: iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a wide corpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers -- primarily Intel and, to a lesser extent, AMD -- scrambling to devise mitigations.
The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker's choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox -- when a target is logged in -- and a password as it's being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.
The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker's choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox -- when a target is logged in -- and a password as it's being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.
Ok that's a CRITICAL (Score:2)
Re:Ok that's a CRITICAL (Score:5, Funny)
Just switch to a browser using a different rendering engine on iOS until it's patched?
Oh...
Re:Ok that's a CRITICAL (Score:4, Informative)
It's probably not that critical if TFA is to be believed:
iLeakage is a practical attack that requires only minimal physical resources to carry out. The biggest challenge—and it’s considerable—is the high caliber of technical expertise required. An attacker needs to not only have years of experience exploiting speculative execution vulnerabilities in general but also have fully reverse-engineered A- and M-series chips to gain insights into the side channel they contain. There’s no indication that this vulnerability has ever been discovered before, let alone actively exploited in the wild.
That means the chances of this vulnerability being used in real-world attacks anytime soon are slim, if not next to zero. It’s likely that Apple’s scheduled fix will be in place long before an iLeakage-style attack site does become viable.
This sounds like something a nation state might be able to pull off, so, not something you or I likely need to worry about before it gets patched. It is a decent segue into my first question, is this achievable with Lockdown Mode [apple.com] enabled? Here is the actual research paper [ileakage.com], instead of some ad infested clickbait summary of it. I will be reading this in full later tonight and would encourage everyone else to do the same. It looks fascinating; I wish I could digest it right now.
A quick search does not find the word "lockdown" in there, which is strange, someone who knows this much about the Apple platform would presumably have tested for that, and the omission might speak volumes. Maybe it does and they don't want to advertise it? Lockdown Mode disables a goodly portion of WebKit, it would be nice to know if that's an effective remediation for folks that might have a nation-state target on their back.
My other question, did they submit this through Apple's bug bounty or just publish it? This would be worth $5,000 to $2,000,000 [apple.com] depending on the particulars and how Apple values it. My guess, from the detail in their paper, this would be on the high end, minimum $150,000. $2,000,000 if it does bypass Lockdown Mode.
Re: Ok that's a CRITICAL (Score:3)
At the time of public release, Apple has implemented a mitigation for iLeakage in Safari. However, this mitigation is not enabled by default, and enabling it is possible only on macOS.
So it looks like a hard to patch bug..and whenever a real patch does come ar
Because Mac stuff just works! (Score:2, Funny)
Hacker: YOU'RE DAMN RIGHT!
Re: (Score:2)
Ah. Yet another person who had their sense of humor removed before having a stick shoved up their ass.
I pity you.
Re: (Score:2)
Thank you for proving my point....
Re: (Score:2)
Okay, you must be new..
Re: Because Mac stuff just works! (Score:1, Offtopic)
You think there's only one exploit of modern Macs? Lolol to the horizon.
Re: (Score:2, Troll)
You think that Mac has had ONE exploit?
Pardon me while I laugh at you.
A tearful name (Score:5, Funny)
That name though, "iLeakage"
Makes me WANNACRY
Re:A tearful name (Score:4, Funny)
That name though, "iLeakage"
Makes me WANNACRY
It makes my HEARTBLEED.
Re: (Score:3)
If these silly puns don't stop soon, I swear I'm gonna have a MELTDOWN!
Re: (Score:2)
If these silly puns don't stop soon, I swear I'm gonna have a MELTDOWN!
Just to save everybody the trouble, here's your Lexicon:
https://worthstart.com/compute... [worthstart.com]
SORRYNOTSORRY!
Re: (Score:2)
Don't fear the SPECTRE of Apple's wrath
Re: (Score:2)
Might I suggest a thicker iPad?
Re: (Score:2)
Might I suggest a thicker iPad?
Apple are releasing a new one... With wings.
My browsers ... (Score:3)
Re: (Score:2)
Your browser knows them when you enter them, though.
Re: (Score:2)
TFS describes this as an attack against credential managers. Specifically, "a password as it's being autofilled by a credential manager".
Re: (Score:3)
... don't know my passwords. You can beat them with a wrench [xkcd.com] all you want. They ain't talking.
This isn't limited to the default Safari + Keychain. Their demo shows it working when the passwords are in LastPass.
However - based on their FAQ - this apparently only works if you have your credential manager autofilling login fields without any interaction from you - which I don't think is the default setup for any of the third-party ones at least.
Re: (Score:2)
Thank Goodness! (Score:2)
My personal Mac has an Intel processor!
It has nothing to do with iOS or macOS (Score:5, Interesting)
It wouldn't surprise me that other ARM core implementations can be exploited this way, but it's too soon to tell.