Security researchers have uncovered two new vulnerabilities in modern Apple processors, named FLOP and SLAP, which could allow attackers to remotely steal sensitive data through web browsers. Discovered by researchers from the Georgia Institute of Technology and Ruhr University Bochum, these flaws exploit speculative execution, a performance optimization feature in Apple’s processors, to extract private user data from browsers like Safari and Chrome.

How FLOP and SLAP Exploit Speculative Execution

Speculative execution is a technique used by modern processors to predict and execute instructions in advance, improving performance. However, flaws in its implementation have led to significant security issues in the past, such as the Spectre and Meltdown attacks. FLOP and SLAP build on these exploits, demonstrating how Apple’s latest chips can be manipulated to leak private information.

FLOP (False Load Output Prediction) affects Apple’s M3, M4, and A17 processors. These chips attempt to predict not only which memory addresses will be accessed but also the actual data values stored in memory. If a misprediction occurs, the CPU may use incorrect data in temporary computations. Attackers can exploit this by measuring cache timing differences, allowing them to extract sensitive information before the system corrects itself. Researchers demonstrated FLOP by stealing private user data, including email details from Proton Mail, Google Maps location history, and iCloud Calendar events.

SLAP (Speculative Load Address Prediction) impacts Apple’s M2 and A15 processors, along with later models. Unlike FLOP, which predicts data values, SLAP manipulates the processor’s ability to anticipate which memory address will be accessed next. By training the CPU to follow a specific pattern and then suddenly altering it, attackers can force the processor to read sensitive data. The CPU processes this information before realizing the mistake, leaving traces that hackers can analyze. Researchers used SLAP to extract Gmail inbox content, Amazon order history, and Reddit activity.

Implications and Mitigation Efforts

Both FLOP and SLAP are particularly concerning because they can be executed remotely. A victim only needs to visit a malicious website running JavaScript or WebAssembly code designed to exploit these vulnerabilities. The attack does not require malware installation or direct access to the device, making it difficult to detect or prevent.

The researchers disclosed the flaws to Apple in early 2024. While Apple has acknowledged the issues, security patches have not yet been released. Apple has stated that it does not consider the vulnerabilities an immediate risk but has not provided a timeline for fixes. In the meantime, users concerned about potential data exposure can disable JavaScript in their browsers, though this may break many websites.

These findings highlight the growing sophistication of web-based attacks and the need for stronger security measures in modern processors. As Apple works on mitigating these vulnerabilities, users should stay informed about security updates and exercise caution when browsing unfamiliar websites.

The discovery of FLOP and SLAP underscores the ongoing challenges in securing modern processors against advanced exploits. While speculative execution enhances performance, its vulnerabilities continue to pose significant risks. As cyber threats evolve, both hardware manufacturers and users must remain vigilant, adopting proactive measures to safeguard sensitive data and maintain digital security.

Jamf Threat Labs has identified a critical flaw in Apple’s Transparency, Consent, and Control (TCC) framework, labeled CVE-2024-44131. This vulnerability allows malicious applications to bypass user consent protocols and access sensitive data without user awareness. The issue impacts both macOS and iOS platforms but has been resolved in macOS 15 and iOS 18 updates.

The TCC Framework and Its Role

The TCC framework is designed to protect sensitive user data by requiring app permissions. However, the CVE-2024-44131 vulnerability undermines this security mechanism. According to Jamf, “This TCC bypass allows unauthorized access to files, Health data, the microphone or camera, and more without alerting users. This compromises user trust and puts personal data at risk.”

Exploitation Techniques

Attackers exploit this flaw by using symlink techniques and elevated system process privileges, such as those of fileproviderd and Files.app. These methods enable discreet copying of user data into attacker-controlled directories. Jamf noted, “This exploitation can occur in the blink of an eye, entirely undetected by the end user.”

Malicious apps can intercept file operations within the Files.app, redirecting sensitive data without triggering any TCC permission prompts.

Risks Associated with Synchronized Data

The vulnerability highlights the dangers of synchronized data across devices. Jamf explained, “Services like iCloud, which enable data syncing across multiple devices, give attackers multiple entry points to exploit and access valuable intellectual property and data.”

Data stored in iCloud, such as backups from popular apps like WhatsApp, Pages, and GarageBand, is particularly vulnerable due to weak protections. A proof of concept by Jamf demonstrated how attackers could exfiltrate WhatsApp backups stored in iCloud.

Implications of the Vulnerability

• Personal Data Exposure: Sensitive information such as photos, Health data, and contacts may be compromised.
• Corporate Security Risks: The reliance on mobile devices for business operations makes them vulnerable to exploitation.
• Stealth Attacks: The vulnerability allows undetected exploitation, making mitigation challenging.

Apple’s Response

Apple has resolved the CVE-2024-44131 vulnerability in iOS 18 and macOS 15, urging users to update their devices immediately. Organizations are advised to implement proactive security measures to monitor and block suspicious app behaviors.

Jamf emphasized, “While Apple’s OS updates address specific vulnerabilities, proactive endpoint protection is crucial for detecting and blocking unexpected behaviors or abnormal requests.”