Sunday, February 9, 2025
HomeAppleNew Apple SLAP & FLOP Side-Channel Attacks Let Attackers Steal Login Details...

New Apple SLAP & FLOP Side-Channel Attacks Let Attackers Steal Login Details From Browser

Published on

SIEM as a Service

Follow Us on Google News

Researchers from the Georgia Institute of Technology and Ruhr University Bochum have uncovered two novel speculative execution attacks, named SLAP (Speculative Data Attacks via Load Address Prediction) and FLOP (Breaking the Apple M3 CPU via False Load Output Predictions).

These vulnerabilities impact Apple Silicon chips, exposing critical security risks in devices built on the M2/A15 and later architectures.

Both exploits leverage microarchitectural optimizations in Apple processors, enabling attackers to extract sensitive data, such as email content, location information, and browsing history, from affected systems.

Exploiting Load Address Prediction

The SLAP attack targets the Load Address Predictor (LAP) embedded in Apple CPUs, starting with the M2 and A15 chips.

LAP is designed to enhance performance by predicting the memory addresses most likely to be accessed next, based on past usage patterns.

However, when the LAP makes an incorrect prediction, it opens the door for speculative execution to access out-of-bounds memory.

This introduces potential vulnerabilities where a malicious actor can orchestrate attacks to leak sensitive data.

To demonstrate SLAP’s impact, researchers executed a proof-of-concept attack targeting Safari.

By manipulating the LAP through JavaScript code, they retrieved sensitive information, such as email content and browsing behavior, from Apple’s Proton Mail interface.

This highlights the practical dangers posed by speculative execution when combined with improper memory access during data prediction.

Leveraging Load Value Prediction

The FLOP vulnerability expands on these issues by exploiting the Load Value Predictor (LVP) found in Apple’s latest M3 and A17 chips.

The LVP speculatively predicts the data value expected to be returned during memory access before its actual computation.

If the LVP mispredicts the value, speculative execution can proceed on incorrect assumptions, bypassing critical boundary checks.

Researchers demonstrated the FLOP attack on both Safari and Chrome browsers, successfully crafting arbitrary memory read primitives.

This allowed them to extract highly sensitive data, including location history, calendar events, and stored payment information.

FLOP’s ability to bypass typical memory safety mechanisms through speculative execution underscores the potential severity of this flaw.

The researchers showcased SLAP and FLOP’s capabilities through striking demonstrations.

SLAP allowed them to reconstruct the first paragraph of The Great Gatsby by training the LAP to speculatively access hidden memory addresses on an Apple M2 CPU.

Similarly, FLOP was used on the M3 CPU to retrieve the opening paragraph of Harry Potter and the Sorcerer’s Stone by manipulating the LVP to mispredict memory indices, granting access to unintended data regions.

SLAP and FLOP underline the risks associated with speculative execution optimizations in modern CPUs, particularly as performance enhancements inadvertently create new attack surfaces.

Apple has yet to publicly address these vulnerabilities, but patches will likely be rolled out to mitigate these risks.

This research was supported by various institutions, including the Air Force Office of Scientific Research (AFOSR), DARPA, the DFG’s Excellence Strategy, and contributions from industry partners like Qualcomm and Cisco.

Researchers emphasize that their findings highlight systemic challenges in processor design, urging a rethinking of speculative execution mechanisms in secure computing environments.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...