A breakthrough in Apple’s A-series and M-series chip designs has uncovered two critical vulnerabilities that enable side-channel attacks. These attacks allow hackers to steal sensitive data such as credit cards, locations, and login credentials from popular browsers like Chrome and Safari on Macs, iPhones, and iPads. The vulnerabilities exploit the chips’ speculative execution feature, which optimizes performance by predicting control flow but now also predicts memory addresses.
The attacks are named FLOP (Exploiting LVP) and SLAP (Exploiting LAP). FLOP targets Apple’s load value predictor, allowing attackers to access location history from Google Maps and inbox content from Proton Mail. SLAP focuses on the load address predictor, enabling access to sensitive JavaScript code in iCloud Calendar when browsing multiple tabs.
A14/M1 chips are affected, but older models (A13, M10, M9) remain secure. To prevent these vulnerabilities, users would need to disable speculative execution and other performance-boosting features, resulting in significant performance degradation—potentially up to 10x slower or hundreds of times slower depending on the workload.
These findings underscore the ongoing trade-off between speed and security in modern computing.
Source: https://arstechnica.com/security/2025/01/newly-discovered-flaws-in-apple-chips-leak-secrets-in-safari-and-chrome