Spectre can't stay dead despite numerous attempts by Apple to patch it, with iLeakage the latest attack vector to utilize speculative execution demonstrated by researchers.
Apple's move to Apple Silicon processors hasn't stopped speculative execution attacks from being possible. Previously, versions of Spectre have been proven to work with Apple's chipsets, including PACMAN and Meltdown.
Researchers sharing information about the latest exploit, dubbed iLeakage, say that it isn't known if it has been used in the wild or not. The attack is basically undetectable and requires minimal resources to implement, but requires advanced knowledge of browser-based side-channel attacks and Safari's implementation.
iLeakage is significant because it can induce Safari to render an arbitrary webpage and recover information presented within it. The researchers demonstrate lifting Instagram credentials, Gmail inbox data, and YouTube watch history with the exploit.
The exploit is a transient execution side channel that targets Safari and its technology stack. It affects iPhone, iPad, and Mac users.
How to protect yourself from iLeakage
Users don't need to panic about iLeakage. A future update will likely address the iLeakage attack vector, and there is already a toggle in macOS Safari that mitigates iLeakage — though it's off by default.
Apple has marked the setting as "unstable," so enable it at your own risk. The researchers recommend updating to macOS Sonoma if possible, but there is a route users can take for macOS Ventura too.
Enable Safari's hidden debugging menu
For macOS Sonoma:
- Open the Terminal app
- Paste the following command:
defaults write com.apple.Safari IncludeInternalDebugMenu 1
- Press Return
For macOS Ventura and earlier:
- Download the version of Safari Technology Preview that matches your macOS version from Apple's download page
- Open the installer and follow directions until the Safari Technology Preview is installed
- Open the Terminal app
- Paste the following command:
defaults write com.apple.SafariTechnologyPreview IncludeInternalDebugMenu 1
- Press Return
Enable the process
Now that Safari's hidden debugging menu is enabled, follow these steps.
- Open Safari and select "Debug" from the menu bar
- Select "WebKit Internal Features"
- Scroll down and click "Swap Processes on Cross-Site Window Open"
If that checkbox is clicked, the protection is enabled on macOS.
The toggle isn't available in iOS or iPadOS Settings, but a similar toggle for "Swap Processes on Cross-Site Navigation" is enabled by default on our iPhone running iOS 17.1. It isn't clear if this toggle helps mitigate speculative execution attacks, but we wanted to note its existence.
Apple was notified about iLeakage on September 12, 2022. Now that the research is public, Apple may expedite a fix in a future operating system update.
3 Comments
Isn't it unusual for Apple not to patch an exploit for over a year after it was reported, and one that may be actively deployed?
Wesley, the options are available as GUI, at least in Sonoma, and this particular option is already checked, at least in macOS Sonoma 14.1 release version build 23B74.
iLeakage is an exploit against a flaw in WebKit. Spectre is a class of exploits against Intel (and AMD) CPUs and their branch prediction functionality, irrespective of what software is being run on those CPUs. I am super confused by the conflation of Spectre with iLeakage here.