1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • iPhone and Mac users beware - this dangerous new iOS and macOS se

    From TechnologyDaily@1337:1/100 to All on Thu Oct 26 13:00:05 2023
    iPhone and Mac users beware - this dangerous new iOS and macOS security flaw might see you give up your password without knowing

    Date:
    Thu, 26 Oct 2023 12:57:14 +0000

    Description:
    Researchers find a way to infiltrate iPhone and Mac devices, but it takes quite a bit of knowledge.

    FULL STORY ======================================================================

    For hackers and cybercriminals, speculative execution is a gift that keeps on giving.

    In the latest development, researchers used the technique to steal passwords and other sensitive content from Apple devices via a side channel vulnerability - to target Macs, iPhones, and iPads, running A- and M-series CPUs with the latest iOS and macOS operating systems.

    They named the flaw iLeakage, and what's more worrying is that it doesnt have a CVE, or a patch, just yet, meaning iPhone and Mac users could still be at risk. iLeakage

    For demonstration purposes, the researchers created a new website. When a visitor with a vulnerable endpoint visits that website, a piece of JavaScript code opens a second website and recovers site content rendered in a pop-up. Through that second website, the attackers are able to pull sensitive data from different services the victim is logged into - from YouTube, to Gmail, and more. Even passwords being autofilled by password managers arent safe.

    Apparently, the iLeakage site needs around five minutes to profile the target and less than a minute to extract a 512-bit secret.

    We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution, the researchers said.

    In particular, we demonstrate how Safari allows a malicious webpage to
    recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers. Safari is used as means of attack only on Macs. For iPhone and iPad devices, any browser will do, as theyre all built
    on Apples WebKit browser engine.

    Speculative execution is a feature built into most of todays hardware, to enhance its speed. In laymans terms, a chip will try to guess what the next operation will be and will preload it in anticipation. If it speculated correctly, it can execute the operation quickly, thus improving the devices overall speed. This feature has also been at the center of a number of controversies, starting with two huge vulnerabilities discovered roughly five years ago - Spectre and Meltdown. Patching the flaws meant slowing the
    devices down.

    While iLeakage sounds dangerous, Ars Technica argues that its highly unlikely to be exploited in the wild as it requires plenty of experience and knowledge on how to reverse-engineer A- and M-series chips to gain insights into the side channel they contain. Theres no indication that this vulnerability has ever been discovered before, let alone actively exploited in the wild, the publication concludes.

    Via ArsTechnica More from TechRadar Pro Update your iPhone and iPad now
    Apple just fixed a big iOS and iPadOS security flaw Here's a list of the best firewalls today These are the best endpoint protection tools around



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/this-dangerous-new-ios-and-macos-securi ty-flaw-might-see-you-give-up-your-password-without-knowing


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)