iLeakage attack resurrects Spectre with password and website data extraction

iLeakage attack

Apple's move to Apple Silicon processors hasn't stopped speculative execution attacks from being possible. Previously, versions of Spectre have been proven to work with Apple's chipsets, including PACMAN and Meltdown.

Researchers sharing information about the latest exploit, dubbed iLeakage, say that it isn't known if it has been used in the wild or not. The attack is basically undetectable and requires minimal resources to implement, but requires advanced knowledge of browser-based side-channel attacks and Safari's implementation.

iLeakage is significant because it can induce Safari to render an arbitrary webpage and recover information presented within it. The researchers demonstrate lifting Instagram credentials, Gmail inbox data, and YouTube watch history with the exploit.

The exploit is a transient execution side channel that targets Safari and its technology stack. It affects iPhone, iPad, and Mac users.

How to protect yourself from iLeakage

Users don't need to panic about iLeakage. A future update will likely address the iLeakage attack vector, and there is already a toggle in macOS Safari that mitigates iLeakage — though it's off by default.

Apple has marked the setting as "unstable," so enable it at your own risk. The researchers recommend updating to macOS Sonoma if possible, but there is a route users can take for macOS Ventura too.

Enable Safari's hidden debugging menu

For macOS Sonoma:

1. Open the Terminal app
2. Paste the following command: defaults write com.apple.Safari IncludeInternalDebugMenu 1
3. Press Return

For macOS Ventura and earlier:

1. Download the version of Safari Technology Preview that matches your macOS version from Apple's download page
2. Open the installer and follow directions until the Safari Technology Preview is installed
3. Open the Terminal app
4. Paste the following command: defaults write com.apple.SafariTechnologyPreview IncludeInternalDebugMenu 1
5. Press Return

Enable the process

Now that Safari's hidden debugging menu is enabled, follow these steps.

1. Open Safari and select "Debug" from the menu bar
2. Select "WebKit Internal Features"
3. Scroll down and click "Swap Processes on Cross-Site Window Open"

If that checkbox is clicked, the protection is enabled on macOS.

The toggle isn't available in iOS or iPadOS Settings, but a similar toggle for "Swap Processes on Cross-Site Navigation" is enabled by default on our iPhone running iOS 17.1. It isn't clear if this toggle helps mitigate speculative execution attacks, but we wanted to note its existence.

Apple was notified about iLeakage on September 12, 2022. Now that the research is public, Apple may expedite a fix in a future operating system update.