Security researchers from Georgia Institute of Technology and Ruhr University Bochum have uncovered two critical vulnerabilities in Apple’s modern processors that could expose sensitive data through web browsers. These flaws, named FLOP and SLAP, stem from issues with Apple’s speculative execution, a feature designed to enhance processing speed by predicting memory addresses and data. While this technology can improve performance, it also leaves traces in memory that attackers can exploit to access private information. These vulnerabilities affect processors starting with the M2 and A15 generations, with the newest M3 and A17 processors being impacted by FLOP and M2/A15 by SLAP.
The FLOP attack targets Apple’s M3, M4, and A17 processors by exploiting errors in memory value predictions. When these predictions go wrong, the incorrect data is temporarily used in computations, allowing attackers to retrieve sensitive information through cache timing attacks. This flaw could allow attackers to bypass the security of web browsers like Safari and Chrome, leaking data such as Proton Mail inbox details, Google Maps location history, and private events from iCloud Calendar. The attack works by manipulating the processor into making mispredictions, and once the processor is in this incorrect state, it leaks the data before correcting itself.
On the other hand, the SLAP attack affects Apple’s M2 and A15 processors, relying on mispredictions in the memory address prediction process.
Attackers can train the CPU to anticipate specific memory access patterns and then manipulate it to access secret data by altering the memory layout.
This misprediction leads the processor to retrieve sensitive data that can then be inferred through side-channel attacks, exposing information like Gmail inbox contents, Amazon order history, and Reddit user activity. Both attacks can be executed remotely through malicious websites, making them especially dangerous, as they bypass traditional security measures such as browser sandboxing and memory protections.
Although Apple has acknowledged these vulnerabilities and is working on addressing them, no official patch has been released yet. In the meantime, researchers recommend disabling JavaScript in browsers like Safari and Chrome as a temporary mitigation. The remote nature of these attacks means users don’t need to install malware or have physical access to their devices, making them a significant threat to millions of Apple users. The attack method highlights the risks of side-channel vulnerabilities in modern hardware and the need for stronger security protocols to protect sensitive data.