Security & Privacy

iLeakage Attack could let hackers steal passwords, data from Safari on Macs

Posted on by

Remember Spectre, the speculative execution attack? Researchers have discovered a new exploitation technique called the “iLeakage Attack” that can exploit processors’ speculative execution feature. Specifically, an attacker may be able to steal passwords and extract data from pages in the Safari browser on Apple silicon (M-series processor) Macs. Meanwhile, iPhones and iPads (with A-series processors) are also vulnerable.

In a paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices” (PDF), four university researchers describe the attack. They demonstrate how an attacker can recover passwords that were autofilled by a credential manager, or the contents of Web pages (for example, a victim’s private Gmail messages or YouTube watch history), using their iLeakage exploit.

Here are the most important things to know about the iLeakage Attack.

In this article:

Has iLeakage been used in real-world attacks?

The researchers are unaware of any real-world attacks that may have leveraged the iLeakage exploitation methodology. But that doesn’t mean it hasn’t happened.

It is highly unlikely that anyone—aside from a threat actor that may have used the technique—would ever know that the exploit had been used. No system logs would indicate the usage of such exploits.

Are there any mitigation techniques?

If you’re concerned about someone potentially using the iLeakage Attack against you, there are a few options for protecting your system.

Mitigation technique 1: Enable “Swap Processes on Cross-Site Window Open”

The iLeakage homepage explains that Apple implemented a (non-default) mitigation for this exploit in macOS Ventura 13.0. This means that all later versions of macOS—including macOS Sonoma 14.x—have the capability to enable Apple’s mitigation method. The caveat: Apple chose to leave the mitigation disabled by default, meaning that concerned users or IT administrators will have to manually enable the mitigation technique.

Users of macOS Sonoma can follow this process to enable the mitigation:

  1. Temporarily enable Full Disk Access for the Terminal app.
  2. Open the Terminal, and copy and paste the following command, then press the Return or Enter key on the keyboard:
    defaults write com.apple.Safari IncludeInternalDebugMenu 1
  3. Open Safari, click on the Debug menu, hover over “WebKit Internal Features,” and scroll down to “Swap Processes on Cross-Site Window Open.” If that menu item doesn’t have a √ checkmark next to it, then the mitigation is not currently enabled; click on the menu item to enable it.
  4. Disable Full Disk Access for the Terminal app.

More complete steps on how to enable Full Disk Access, as well as the slightly different mitigation method for macOS Ventura, are available on the iLeakage site.

Mitigation technique 2: Enable Lockdown Mode

An alternative way to block the iLeakage exploitation technique is to enable Lockdown Mode. However, Lockdown Mode has other side effects that average users may find undesirable, as it’s specifically designed to reduce the device’s feature set to limit its attack surface. Apple intends for Lockdown Mode to be used by people who are highly likely to be targeted by well-funded, nation-state level threat actors.

Mitigation technique 3: Use a browser other than Safari

Only Safari is vulnerable to the specific exploitation technique developed by the researchers. Thus, using Firefox, Chrome, or another Chromium-based browser would be sufficient to stop the iLeakage Attack.

What’s the history of speculative execution exploits?

In January 2018, multiple groups published independently researched reports about vulnerabilities related to speculative execution, a technology that enhances processor performance. Also revealed at that time were Meltdown and Spectre—exploits that leveraged those vulnerabilities.

While Intel got a bad rap for the existence of these vulnerabilities, the problem wasn’t actually limited to only Intel (or even AMD) CPUs. ARM-based processors, like those in Apple’s iPhone, iPad, and iPod touch products, also required software-based mitigations. Apple released some relevant security patches for these systems, as well as for Macs, in December 2017 (before the vulnerabilities were disclosed to the public) and January 2018.

Later speculative execution exploits have included Foreshadow (August 2018), SPOILER (March 2019), ZombieLoad (May 2019), Retbleed (July 2022), and Downfall (August 2023), all of which affected Intel processors. Yet another, PACMAN (June 2022), affected Apple M1 processors specifically.

xkcd #1938: Meltdown and Spectre
Image credit: xkcd #1938 by Randall Munroe

Apple began to migrate Macs to its own ARM-based “M-series” (M1, M2, and M3) processors, collectively dubbed “Apple silicon,” in 2020. Other than refurbished units, Apple no longer sells Intel-based Macs today. However, Apple still supports many Intel Macs; macOS Sonoma is compatible with many Intel-based Mac models released between 2017 and 2020.

Of course, as we have seen with PACMAN and now iLeakage, even Apple silicon Macs are not invulnerable to speculative execution attacks. It is likely that more such attack methods will be discovered in the future.

How can I learn more?

More details about the iLeakage Attack, including demonstration videos, are available at the researchers’ site: ileakage.com.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →