iLeakage: Browser-Based Timerless Speculative Execution Attacks on Apple Devices
Jason Kim et al. (Hacker News):
We present iLeakage, a transient execution side channel targeting the Safari web browser present on Macs, iPads and iPhones. iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery. We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution. In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.
[…]
Code running in one web browser tab should be isolated and not be able to infer anything about other tabs that a user has open. However, with iLeakage, malicious JavaScript and WebAssembly can read the content of a target webpage when a target visits and clicks on an attacker's webpage. This content includes personal information, passwords, or credit card information.
[…]
At the time of public release, Apple has implemented a mitigation for iLeakage in Safari. However, this mitigation is not enabled by default, and enabling it is possible only on macOS [in Safari’s Debug menu]. Furthermore, it is marked as unstable.
[…]
We disclosed our results to Apple on September 12, 2022 (408 days before public release).
It’s still possible in Lockdown Mode, but slower.
iLeakage represents several breakthroughs. First is its ability to defeat these defenses with Safari running on A- and M-series chips by exploiting a type confusion vulnerability. Secondly, it's a variant that doesn’t rely on timing but rather on what’s known as a race condition. A third key ingredient is the unique ability of WebKit to consolidate websites from different domains into the same renderer process using the common JavaScript method
window.open.
So Chrome and Firefox are not vulnerable, but of course Apple doesn’t allow their browser engines on iOS.
Previously:
- Apple Considering Dropping WebKit Requirement
- PACMAN Attack on M1 Processor
- CMA on WebKit Security Bugs
- Apple Silicon “Augury” DMP Vulnerability
- Open Web Advocacy
- The Time to Fix Web Security Bugs
- M1racles: M1ssing Register Access Controls Leak EL0 State
- Microarchitectural Data Sampling (MDS) Mitigation
- Mitigating Spectre With Site Isolation in Chrome
- Intel FPU May Spill Crypto Secrets to Apps
- Finding a CPU Design Bug in the Xbox 360
- Intel CPU Design Flaw Necessitates Kernel Page Table Isolation
