iLeakage, stealing passwords on macOS and iOS is possible: how to defend yourself

If we told you it was possible steal passwords su macOS and iOS by having the web browser itself reveal them, you probably wouldn’t believe it. Yet, a group of experts from the Georgia Institute of Technologyone of the most important technological research centers in the USA, has just detonated the bomb: the christened attack Leakage putting at risk the access credentials and personal data of a large portion of users owning Mac, iPhone and iPad systems.

The researchers explain that, by leveraging a side channel attack, it is possible to induce the browser Safari to reveal data that should instead be kept with the utmost diligence, for example username and password. The security problem is particularly serious since it affects the entire range of Apple devices, including those equipped with SoC Apple Silicon (sigla M).

The experts of Georgia Institute of Technology in fact, they specify that the flaw in question concerns everyone iPhone e iPad recent, as well as i laptop e desktop Apple placed on the market from 2020 onwards.

iLeakage, macOS, iOS and iPadOS password attack

How the iLeakage attack works which allows you to steal passwords and other personal data

The code loaded in each browser tab Web must be isolated and cannot access information contained in other tabs open at the same time. The iLeakage attack instead uses JavaScript and WebAssembly (WASM) code to read the contents of another page Web and extract personal information, passwords and credit card data.

In this video you can see how the iLeakage attack allows you to steal credentials access to Instagram. As soon as the user places them in another tab or leaves a password manager as LastPass fills out the login form, the attacker receives the credentials in clear text.

The same thing happens with Gmail: in this case, the attacker can, for example, decide to steal the list of email oh message texts. Again, this video shows how you can get hold of the YouTube history of another user.

One click on a malicious page and your personal information can be compromised

The attack starts from a malicious website: by clicking on any element displayed on the page, the services whose passwords or other data you want to steal (such as Instagram, Gmail, YouTube,…) open in a new tab. Since Safari renders the two tabs (that of the site that launches the iLeakAge attack and that of the service to be violated) using the same processthe attacker can exploit a speculative execution flaw to recover others’ personal information.

Many vulnerabilities side channelincluding those exploited for iLeakage, have to do with the CPU microarchitecture. Whenever malicious code and the target of the attack are loaded on the same CPU, they they share internal resources of the processor such as core, cache and buffer. This sharing leads to the generation of conflict situations that can be measured in practice with activities that can lead to the extraction of “secrets”, even when the information is isolated at the process or hypervisor level.

To complicate matters, the fact that iLeakage is not recognizable: the attack occurs directly within Safari and all browsers based on its same rendering engine, leaving no traces in the registry files.

How iLeakage differs from the Specter attack

Those who follow the continuous evolutions in the IT field know very well that the month of January 2018 is a watershed date: it was then that attacks such as Meltdown and Specter shook the world of CPUs, giving rise to a series of subsequent studies.

Specter and iLeakage are both attacks that exploit gaps in thespeculative execution microprocessors to access sensitive information. When a processor predicts the outcome of a decision (such as a conditional branch in a program) incorrectly, the instructions are still executed only to be subsequently discarded in the event of an incorrect prediction. Loading this information affects the state of the processor and cache.

An attack like Spectre allows an attacker to force the processor to execute speculative instructions that could have access to sensitive information, such as data in cache or memory. Even if the speculative instructions are discarded when the error in the prediction is discovered, the attacker can succeed extract confidential information pivoting on a secondary channel (side channel).

iLeakage is an attack that targets the Safari browser on Apple devices such as Mac, iPad, and iPhone. Exploit weaknesses in separation of operations speculative and in the management of cache of Apple devices. Attackers trick Safari into loading the content of a web page speculatively, allowing access to data that should be kept secret.

How to defend devices from iLeakage attack

Researchers informed Apple about the existence of the security flaw underlying iLeakage on September 12, 2022, which is more than a year ago. Apple has implemented a fix in Safari which, however, is not enabled by default. Furthermore, it can only be activated on macOS systems and is still indicated as an “unstable” solution.

To activate it on macOS Sonoma, simply copy and paste the following command:

defaults write IncludeInternalDebugMenu 1

At this point you need to access the menu Debug of the Safari browser, select the WebKit Internal Features item and then enable the option Swap Processes on Cross-Site Window Open.

Menu Debug Apple Safari

Users running an operating system version older than Sonoma are strongly advised to upgrade. Otherwise, to activate the same protection function, you should download and install the package Safari Technology Preview.

They are macOSother popular browsers such as Chrome, Firefox and Edge use different JavaScript engines than the one used by Safari: using these products, users are currently safe.

The users of iOS, however, are in a different situation: the iOS versions of Chrome, Firefox and Edge cannot use different rendering engines. Browsers published onApp Store Apple are therefore themselves vulnerable to iLeakage attacks.


Please enter your comment!
Please enter your name here