A group of security researchers has discovered serious vulnerabilities in modern Apple processors that could allow attackers to steal personal information from web browsers without the need to install malware on the affected devices.
The flaws, dubbed FLOP and SLAP, affect the company’s latest chips and are related to errors in speculative execution, a mechanism that speeds up processor calculations but, in this case, exposes sensitive information.
Silent Attacks from the Browser
According to studies conducted by researchers from the Georgia Institute of Technology and Ruhr University Bochum, these vulnerabilities can be exploited remotely through malicious websites that execute code in JavaScript or WebAssembly.
The researchers demonstrated that it is possible to:
✔ Extract private information from Safari and Chrome.
✔ Access emails and browsing data.
✔ Bypass browser security measures, such as sandbox protection and memory randomization.
The attacks are divided into two categories:
- FLOP (False Load Output Prediction): affects the M3, M4, and A17 chips and is based on the incorrect prediction of memory values.
- SLAP (Speculative Load Address Prediction): present in the M2 and A15 processors, takes advantage of faults in predicting memory addresses.
Compromised Data: Gmail, iCloud, and Amazon in Sight
The researchers were able to extract confidential information during real-world tests, including:
📌 Emails from Gmail and Proton Mail.
📌 Location history from Google Maps.
📌 Purchase orders on Amazon.
📌 Private events in iCloud Calendar.
The risk is high, as users only need to visit a malicious website to become victims of the attack, without requiring the installation of any malicious software.
Apple Acknowledges the Issue, but No Solution Yet
The researchers notified Apple about these vulnerabilities in March and September 2024. The company has acknowledged the existence of the flaws but has not yet released security updates to fix them.
“We appreciate the collaboration of the researchers, as this concept helps us better understand these types of threats,” Apple stated in a release. “According to our analysis, we do not believe this issue poses an immediate risk to our users.”
However, cybersecurity experts warn that the problem is serious and could be exploited by cybercriminals to carry out targeted attacks against users of Mac, iPhone, and iPad devices with the affected chips.
How to Protect Yourself Until There’s a Patch?
While Apple works on a solution, specialists recommend:
🔹 Disabling JavaScript in Safari and Chrome, though this will affect the functionality of many websites.
🔹 Avoiding access to unknown or suspicious pages.
🔹 Updating devices as soon as Apple releases a security patch.
Hardware vulnerabilities like FLOP and SLAP are especially dangerous because they cannot be fixed with simple software adjustments but require complex patches at the operating system level.
Until Apple takes concrete action, users should exercise caution to avoid becoming victims of these attacks that can silently extract sensitive data without leaving a trace.
via: Security News