A pair of flaws in recent M-series and A-series Apple chips could allow attackers to break the security of Macs, iPhones, and iPads. SLAP and FLOP are attack methods that exploit predictive functionality in Apple chips. Apple’s M2 and A15 and later chips are vulnerable to SLAP; M3 and A17 and later are vulnerable to FLOP.
Here’s everything you need to know about FLOP and SLAP and how they could potentially impact you.
In this article:
SLAP is short for Speculation attacks via Load Address Prediction. Apple’s M2 and A15 chips (and later versions) include “a Load Address Predictor (LAP), which improves performance by guessing the next memory address” from which the CPU will retrieve data.
FLOP is short for False Load Output Predictions. Apple’s M3 and A17 chips (and later versions) include a Load Value Predictor (LVP), which “improves performance on data dependencies by guessing the [next] data value that will be returned by the memory subsystem… before the value is actually available.”
In other words, LAP and LVP are speculative execution technologies built into Apple chips. Speculative execution techniques are common because they allow for significant speed improvements. But the downside is that they can often be exploited via so-called “side channel attacks.”
Put more simply, by exploiting a feature that’s intended to improve processing speed, attackers can potentially do harmful things. In this case, attackers could extract sensitive information from other browser tabs. Researchers demonstrated stealing credit card information, e-mail contents, meeting locations from calendars, and more.
We’ve covered several speculative execution side channel attacks on the Intego blog and podcast; first, Spectre and Meltdown in 2018, then SPOILER, Foreshadow-NG and ZombieLoad, Augury, Retbleed, Downfall, iLeakage, GoFetch, and Indirector.
The researchers’ list is somewhat confusing; we’ve cleaned up the list of affected models to clarify which Macs, iPads, and iPhones are vulnerable.
All of the devices listed above have a chip from one of the affected lines: M2, M3, M4, A15, A16, A17, A18.
Note that the iPad (10th generation), which was released in October 2022, has an A14 Bionic chip and is therefore unaffected.
The researchers did not mention Apple Vision Pro. However, given that they share the same M2 processors as some Macs and iPads—and OS and browser technologies are largely shared across Apple platforms—it is plausible that SLAP may be exploitable on Vision Pro, too.
As for Macs or iPads with M1 chips, or Intel-based Macs, the answer is no; they’re not vulnerable to FLOP or SLAP attacks. Similarly, older iPhones and iPads than those listed above are unaffected.
SLAP relies on features introduced in M2 and A15 chips, and FLOP relies on features introduced in M3 and A17 chips. All later chips than these are impacted, too.
Apple has known about SLAP since May 24, 2024, and FLOP since September 3, 2024. Apple has not made any public statement about either one.
Will Apple attempt to mitigate these vulnerabilities? There isn’t a clear answer. The researchers say that “Apple has communicated to us that they plan to address these issues in an upcoming security update.” However, an Apple spokesperson declined to state to Ars Technica whether such plans exist; instead, Apple merely said that “Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
Meanwhile, app developers can choose to mitigate FLOP and SLAP or not, on a per-app basis; users are at developers’ mercy.
To prevent SLAP attacks, for now users can avoid using the Safari browser; Chrome (and presumably other Chromium-based browsers, like Microsoft Edge and Brave) are not vulnerable to SLAP.
FLOP attacks, however, are effective against both Safari and Chrome. The researchers did not test Firefox.
The researchers just published their findings this week, the final week of January 2025. To their knowledge, attackers have not yet exploited SLAP or FLOP in any real-world attack scenarios. But in theory, threat actors could start exploiting these vulnerabilities in the wild, now that the flaws are public knowledge.
For now, users of affected Apple products shouldn’t worry too much about these vulnerabilities.
If at some point Apple becomes aware of threat actors exploiting these flaws in the wild—and especially if the public were also aware of this fact—Apple would presumably attempt to mitigate them quickly.
Users who are particularly concerned about difficult-to-exploit attacks like these should keep their operating systems and software patched, avoid using Safari, and consider enabling Lockdown Mode.
Given the difficulty of exploiting these vulnerabilities successfully, it would be far easier for a hacker to use other attack methods. For example, tricking someone into typing sensitive information into a phishing site, or installing malware, is generally far easier than successfully exploiting SLAP or FLOP on a target’s device.
If there’s ever any Mac malware designed to exploit FLOP, SLAP, or other vulnerabilities, Intego will quickly add detection to keep our customers safe.
If you suspect that your Mac might be infected, or to prevent future infections, use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sequoia.
We discussed a few key points about SLAP and FLOP in episode 381 of the Intego Mac Podcast. For a deeper dive, we recommend reading Dan Goodin’s coverage at Ars Technica, as well as the researchers’ site. You can also read the researchers’ highly technical white papers (in PDF format) on SLAP and FLOP.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
