CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Mobile & Wireless

iLeakage Attack Exploits Safari to Steal Sensitive Data From Macs, iPhones

New iLeakage side-channel speculative execution attack exploits Safari to steal sensitive information from Macs and iPhones.


A team of academic researchers has disclosed the details of a new Spectre-style side-channel attack that exploits Safari to steal sensitive information from Macs, iPhones and iPads.

Described as a timerless speculative execution attack and named iLeakage, the new method can be used to induce Safari to render an arbitrary webpage and harvest information from that page. 

The attacker needs to lure the targeted Safari user to a malicious website, which then automatically opens the site from which they want to steal information. This is possible because the rendering process handles both the iLeakage attack website and the targeted site.

iLeakage was discovered by researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum, who this week published a paper detailing their findings. 

The experts showed how the attack could be used to obtain passwords and other sensitive information. They published video demos showing how the iLeakage attack can be leveraged to steal Instagram credentials autofilled by a password manager, email subject lines from a Gmail inbox, and a user’s YouTube watch history

The findings were reported to Apple in September 2022, but the tech giant has so far only made available a mitigation for Safari on macOS, and it’s not enabled by default, in addition to being unstable, according to the researchers.

Apple told SecurityWeek that the proof of concept developed by the researchers advances the company’s understanding of these types of threats. Apple plans on further addressing the issue in its next scheduled software release.

On one hand, there is no evidence that iLeakage has been exploited in the wild and the attack is not easy to conduct. “[It] requires advanced knowledge of browser-based side-channel attacks and Safari’s implementation,” the researchers said.

Advertisement. Scroll to continue reading.

On the other hand, the experts noted that the attack would be difficult to detect since it runs in Safari and does not leave any trace in system log files.

On macOS, iLeakage only impacts Safari because other browsers such as Edge, Firefox and Chrome use different JavaScript engines, the researchers said. However, on iOS the attack can work with other browsers as well because Chrome, Edge and Firefox are basically ‘wrappers on top of Safari’.

“iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery,” the researchers noted. 

Related: Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack

Related: New GPU Side-Channel Attack Allows Malicious Websites to Steal Data

Related: New ‘Inception’ Side-Channel Attack Targets AMD Processors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.