Researchers from Georgia Institute of Technology and Ruhr University Bochum have uncovered two serious vulnerabilities—SLAP and FLOP—affecting Apple devices with chips from 2021 onward. These flaws could allow attackers to access sensitive information, including credit card details and personal location data, by tapping into platforms like iCloud Calendar, Google Maps, and Proton Mail through Safari and Chrome.
As of January 28, Apple is aware of the issue. An Apple spokesperson reassured Ars Technica that they don’t see an immediate danger for users but confirmed that a patch will be released sometime in the future. So far, there’s no evidence that these vulnerabilities have been exploited.
Here’s a rundown of the devices at risk:
- Mac laptops: All models from 2022 onward, including MacBook Air and MacBook Pro.
- Mac desktops: All models from 2023 onward, like Mac Mini and iMac.
- iPads: All Pro, Air, and Mini models from September 2021 onward.
- iPhones: All models from iPhone 13 through 16 and SE (3rd generation).
Let’s break down SLAP and FLOP. Both vulnerabilities leverage speculative execution, a technique that attackers exploit to glean data through indirect signals such as power use and timing. Apple’s modern chips sometimes unwittingly assist these techniques. SLAP predicts which memory address the CPU will access next and attacks through the Safari browser, potentially exposing emails and browsing history. FLOP, on the other hand, predicts what data the CPU will retrieve next and targets both Safari and Chrome, allowing access to location history, calendar events, and credit card info.
Researchers Jason Kim, Jalen Chuang, Daniel Genkin, and Yuval Yarom noted that SLAP and FLOP circumvent existing security measures designed to keep open web pages isolated from each other, making it easier for malicious pages to access sensitive information.
These vulnerabilities highlight the risks of side-channel attacks, which exploit vulnerabilities inherent to hardware, making them hard to detect. Back in March 2024, Apple faced another side-channel attack named GoFetch.
For users concerned about these vulnerabilities, there isn’t much they can do on their end since the issues stem from the hardware itself. The researchers recommend enabling automatic updates and ensuring devices have the latest operating systems and applications, as Apple plans to address these flaws with a future security update. TechRepublic has reached out to Apple for further information.
