New iLeakage attack can steal your emails and passwords on iPhone and Mac — how to stay safe

iPhone 15 Pro Max shown in hand
(Image credit: Tom's Guide)

If you thought your iPhone and Mac were safe from hackers, think again. Academic researchers have developed a new attack method that can steal sensitive data from anyone using Safari on their Apple devices.

As reported by BleepingComputer, this new side-channel attack has been given the name iLeakage by a team of researchers from Georgia Tech, University of Michigan and Ruhr University Bochum. When launched on a vulnerable Apple device, this attack can be used to steal emails, passwords, and other important data right from Safari. However, it also works on Firefox, Tor, and Edge on iOS.

What makes iLeakage particularly worrying is that it affects the best iPhones, as well as the best MacBooks using Apple Silicon. This means that newer Macs running M1, M2 and potentially even Apple’s upcoming M3 chips are impacted.

While iLeakage was developed by academic researchers, and shares a lot of similarities with 2018’s Spectre attacks which affect Intel CPUs, it currently isn’t being used in the wild by hackers in their attacks. However, now that we know Apple Silicon is vulnerable to this type of attack, hackers could develop their own implementation of iLeakage or create a similar attack method in the future.

Stealing emails and passwords from Apple devices

As iLeakage is a novel attack method, it’s quite complicated and you can see all the details in this research paper (PDF) written by the team that developed it. 

Essentially, the attack works by forcing Safari to render an arbitrary webpage and then sensitive information within it is recovered using speculative execution. The researchers managed to do this by overcoming the side-channel protections — like the low-resolution timer, compressed 35-bit addressing and value poisoning — that Apple has implemented in Safari. 

They also employed speculative type confusion to bypass these restrictions, and this allowed them to leak sensitive data such as emails and passwords from a targeted page. In a series of YouTube videos (Demo 1, Demo 2, Demo 3), the researchers showed how they were able to steal Gmail messages as well as retrieve a password from an Instagram test account that was auto-filled in Safari using LastPass.

From here, they took things a step further by demonstrating how iLeakage attacks also work on Chrome for iOS. This is possible because Apple’s policy requires all third-party browsers for iOS to actually be overlays running on top of Safari which uses its JavaScript engine.

While Apple has yet to formally comment on these new iLeakage attacks, in an email to Tom’s Guide, an Apple spokesperson revealed the company is aware of the issue and that it will be addressed in its next scheduled software release.

How to stay safe from iLeakage 

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

All Apple devices released from 2020 onwards that use either the company’s A-Series or M-Series ARM processors are impacted by iLeakage. Since this attack is essentially undetectable, as it leaves no trace on a victim’s devices, you may be wondering what you can do to stay safe.

Fortunately, the researchers behind iLeakage privately disclosed this new attack to Apple back in September of last year and the company developed mitigations for macOS. It’s worth noting that the researchers say that this attack is difficult to carry out since advanced knowledge of browser-based side-channel attacks, and Safari’s implementation are required to do so. Still though, if you’re worried, here are some steps you can take to keep your Mac safe if you’re running macOS Ventura 13.0 or higher.

To start, open Terminal on your Mac and run “defaults write com.apple.Safari IncludeInternalDebugMenu 1” to enable Safari’s hidden debug menu. Now when you open Safari, its Debug menu will be visible and you can use it to open the “WebKit Internal Features” setting. When scrolling through this menu, you need to activate “Swap Processes on Cross-Site Window Open." While this will protect you, it could introduce some stability issues on your Mac. For this reason, you might want to hold off on doing this and wait for Apple to formally address iLeakage in its next major software update.

As for protecting your Mac from malware and other viruses, you should also consider installing the best Mac antivirus software as well. Likewise, Intego Mac Internet Security X9 and Intego Mac Premium Bundle X9 can scan your iPhone or iPad for malware but they need to be plugged into your Mac using a USB cable to do so.

Unlike zero-day flaws that are often used by hackers in their attacks, iLeakage is a proof of concept which shows that Apple Silicon is vulnerable to side-channel attacks just like processors from Intel, AMD and other chip makers. We could potentially find out more in the future but this won’t happen until a fix for iLeakage is rolled out and even then, Apple tends to play things close to the chest regarding vulnerabilities and new attack methods.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.