Hackers Can Force iOS and macOS Browsers To Divulge Passwords

Researchers have devised an attack that forces Apple's Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices. From a report: iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a wide corpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers -- primarily Intel and, to a lesser extent, AMD -- scrambling to devise mitigations.

The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker's choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox -- when a target is logged in -- and a password as it's being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.

Ok that's a CRITICAL

[Midnight_Falcon]

I'm the first to dismiss many exploit notifications as impractical, hard to exploit and unlikely to be seen in the wild before patching. Plenty of exploits some bug bounty hacker labels critical are often low or medium. In this case though, it seems like this is a serious, critical exploit that can easily be exploited with a malicious link or even malvertising. This is one to patch ASAP (not yet possible) on vulnerable Mac endpoints.

Re:Ok that's a CRITICAL

[bill_mcgonigle]

Just switch to a browser using a different rendering engine on iOS until it's patched?

Oh...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Ok that's a CRITICAL

[Midnight_Falcon]

Sounds like it will be a while before a threat actor can use it, but still it's been known to these researchers for a while apparently. Apparently they added a FAQ, which does not address Lockdown Mode (hanging question for me as well...I don't know if lockdown modes disabling of JIT is enough to defeat this JavaScript based attack) at https://ileakage.com/ [ileakage.com] . Apparently they notified Apple more than a year ago, and the status is:

At the time of public release, Apple has implemented a mitigation for iLeakage in Safari. However, this mitigation is not enabled by default, and enabling it is possible only on macOS.

So it looks like a hard to patch bug..and whenever a real patch does come ar

Because Mac stuff just works!

[Chas]

Hacker: YOU'RE DAMN RIGHT!

Re:

[Chas]

Ah. Yet another person who had their sense of humor removed before having a stick shoved up their ass.

I pity you.

Re:

[Chas]

Thank you for proving my point....

Re:

[Chas]

Okay, you must be new..

Re: Because Mac stuff just works!

[drinkypoo]

You think there's only one exploit of modern Macs? Lolol to the horizon.

Re:

[Chas]

You think that Mac has had ONE exploit?

Pardon me while I laugh at you.

A tearful name

[billybob2001]

That name though, "iLeakage"

Makes me WANNACRY

Re:A tearful name

[NoMoreACs]

That name though, "iLeakage"

Makes me WANNACRY

It makes my HEARTBLEED.

Re:

[93 Escort Wagon]

If these silly puns don't stop soon, I swear I'm gonna have a MELTDOWN!

Re:

[NoMoreACs]

If these silly puns don't stop soon, I swear I'm gonna have a MELTDOWN!

Just to save everybody the trouble, here's your Lexicon:

https://worthstart.com/compute... [worthstart.com]

SORRYNOTSORRY!

Re:

[drinkypoo]

Don't fear the SPECTRE of Apple's wrath

Re:

[TwistedGreen]

Might I suggest a thicker iPad?

Re:

[mjwx]

Might I suggest a thicker iPad?

Apple are releasing a new one... With wings.

My browsers ...

[PPH]

... don't know my passwords. You can beat them with a wrench [xkcd.com] all you want. They ain't talking.

Re:

[XanC]

Your browser knows them when you enter them, though.

Re:

[PPH]

TFS describes this as an attack against credential managers. Specifically, "a password as it's being autofilled by a credential manager".

Re:

[93 Escort Wagon]

... don't know my passwords. You can beat them with a wrench [xkcd.com] all you want. They ain't talking.

This isn't limited to the default Safari + Keychain. Their demo shows it working when the passwords are in LastPass.

However - based on their FAQ - this apparently only works if you have your credential manager autofilling login fields without any interaction from you - which I don't think is the default setup for any of the third-party ones at least.

Re:

[Dozy Lizard]

KeepassXC plugin says (in settings): "Warning! Using auto-fill is not safe. Use at your own risk."

Thank Goodness!

[93 Escort Wagon]

My personal Mac has an Intel processor!

It has nothing to do with iOS or macOS

[juancn]

It's a CPU bug, much like Spectre, it's perfectly exploitable on Linux or Windows for ARM which makes it much worse.

It wouldn't surprise me that other ARM core implementations can be exploited this way, but it's too soon to tell.