Remember Spectre, the speculative execution attack? Researchers have discovered a new exploitation technique called the “iLeakage Attack” that can exploit processors’ speculative execution feature. Specifically, an attacker may be able to steal passwords and extract data from pages in the Safari browser on Apple silicon (M-series processor) Macs. Meanwhile, iPhones and iPads (with A-series processors) are also vulnerable.
In a paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices” (PDF), four university researchers describe the attack. They demonstrate how an attacker can recover passwords that were autofilled by a credential manager, or the contents of Web pages (for example, a victim’s private Gmail messages or YouTube watch history), using their iLeakage exploit.
Here are the most important things to know about the iLeakage Attack.
In this article:
The researchers are unaware of any real-world attacks that may have leveraged the iLeakage exploitation methodology. But that doesn’t mean it hasn’t happened.
It is highly unlikely that anyone—aside from a threat actor that may have used the technique—would ever know that the exploit had been used. No system logs would indicate the usage of such exploits.
If you’re concerned about someone potentially using the iLeakage Attack against you, there are a few options for protecting your system.
The iLeakage homepage explains that Apple implemented a (non-default) mitigation for this exploit in macOS Ventura 13.0. This means that all later versions of macOS—including macOS Sonoma 14.x—have the capability to enable Apple’s mitigation method. The caveat: Apple chose to leave the mitigation disabled by default, meaning that concerned users or IT administrators will have to manually enable the mitigation technique.
Users of macOS Sonoma can follow this process to enable the mitigation:
defaults write com.apple.Safari IncludeInternalDebugMenu 1More complete steps on how to enable Full Disk Access, as well as the slightly different mitigation method for macOS Ventura, are available on the iLeakage site.
An alternative way to block the iLeakage exploitation technique is to enable Lockdown Mode. However, Lockdown Mode has other side effects that average users may find undesirable, as it’s specifically designed to reduce the device’s feature set to limit its attack surface. Apple intends for Lockdown Mode to be used by people who are highly likely to be targeted by well-funded, nation-state level threat actors.
Only Safari is vulnerable to the specific exploitation technique developed by the researchers. Thus, using Firefox, Chrome, or another Chromium-based browser would be sufficient to stop the iLeakage Attack.
While Intel got a bad rap for the existence of these vulnerabilities, the problem wasn’t actually limited to only Intel (or even AMD) CPUs. ARM-based processors, like those in Apple’s iPhone, iPad, and iPod touch products, also required software-based mitigations. Apple released some relevant security patches for these systems, as well as for Macs, in December 2017 (before the vulnerabilities were disclosed to the public) and January 2018.
Later speculative execution exploits have included Foreshadow (August 2018), SPOILER (March 2019), ZombieLoad (May 2019), Retbleed (July 2022), and Downfall (August 2023), all of which affected Intel processors. Yet another, PACMAN (June 2022), affected Apple M1 processors specifically.
Image credit: xkcd #1938 by Randall Munroe
Apple began to migrate Macs to its own ARM-based “M-series” (M1, M2, and M3) processors, collectively dubbed “Apple silicon,” in 2020. Other than refurbished units, Apple no longer sells Intel-based Macs today. However, Apple still supports many Intel Macs; macOS Sonoma is compatible with many Intel-based Mac models released between 2017 and 2020.
Of course, as we have seen with PACMAN and now iLeakage, even Apple silicon Macs are not invulnerable to speculative execution attacks. It is likely that more such attack methods will be discovered in the future.
More details about the iLeakage Attack, including demonstration videos, are available at the researchers’ site: ileakage.com.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
