Researchers from the Technological Institute of Georgia, the University of Michigan and the University of Rour have developed a technique called ILEAKAGE which allows for the exploitation of vulnerabilities in Apple ARM processors “A” and “M” through a specially designed page opened in a browser. The researchers have created prototypes of exploit codes that, when executed as JavaScript in the browser, can access the contents of other open tabs. For example, it can reveal the text of an open letter in Gmail, view YouTube history, or access passwords stored in Lastpass password manager when entering Instagram credentials. This attack can be executed on the Safari browser in MacOS systems and any browser on the iOS platform.
The attack demonstrates an interesting method to bypass timer restrictions in the Webkit engine, which may have implications beyond Apple products. The vulnerability found in Apple M1 and M2 chips is similar to the classic Specter V1 vulnerability, where memory contents can be leaked during operations performed in speculative mode. Although the processor discards these operations in case of incorrect predictions, the traces remain in the processor cache.
In this case, the speculative implementation allowed the creation of a primitive method to read arbitrary 64-bit indicators in the address space of the browser process. To access the address space of a different process responsible for rendering other websites, a trick is used to open the targeted page in a pop-up window using the JavaScript method Window.open(). Instead of opening in a separate process, the attacking code and the studied foreign page run in the same process.