Hackers can force iOS and macOS browsers to divulge passwords and much more::iLeakage is practical and requires minimal resources. A patch isn’t (yet) available.

  • AutoTL;DRB
    link
    fedilink
    English
    61 year ago

    This is the best summary I could come up with:


    Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.

    The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as it’s being autofilled by a credential manager.

    Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.

    “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content.

    Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.”

    The design of A-series and M-series silicon—the first generation of Apple-designed CPUs for iOS and macOS devices respectively—is the other.


    The original article contains 327 words, the summary contains 157 words. Saved 52%. I’m a bot and I’m open source!