iOS and Safari Warning (Patreon)

Hi Team

Ive been on the road - finishing up some Dev work with the team on some new tools and roadmaps - updates real soon.  SO I have not been as active during the day. Wrapping up today back tonite.

Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets. It works by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices. iLeakage requires minimal resources to carry out. The vulnerability it exploits hasn’t been patched yet. While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine. An Apple representative said iLeakage advances the company’s understanding and that the company is aware of the vulnerability and plans to address it in an upcoming software release. There is no CVE designation to track the vulnerability.

Unique WebKit attributes are one crucial ingredient in the attack. The design of A-series and M-series silicon—the first generation of Apple-designed CPUs for iOS and macOS devices respectively—is the other. Both chips contain defenses meant to protect against speculative execution attacks. Weaknesses in the way those protections are implemented ultimately allowed iLeakage to prevail over them.  https://tracking.tldrnewsletter.com/CL0/https:%2F%2Farstechnica.com%2Fsecurity%2F2023%2F10%2Fhackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more%2F%3Futm_source=tldrinfosec/1/0100018b713d53e5-af8a6277-3394-4c47-b086-ab40ba395d69-000000/dlU2nCWssaxQlOzf4gOaW21cE_95kO8ZXGEr2eGGlKk=324

h/t to Sanjay for sharing w us