Overview of the iLeakage Attack.
We present iLeakage, a transient execution side channel targeting the Safari web browser present on Macs, iPads and
iPhones. iLeakage shows that the Spectre attack is still
relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery.
We show how an attacker can induce Safari to render an arbitrary webpage, subsequently
recovering sensitive information present within it using speculative execution. In particular,
we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value
targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case
these are autofilled by credential managers.
Demo Videos.
Recovering Instagram Credentials
We show a scenario where the target uses an autofilling credential manager
(LastPass in this demo) to sign into Instagram with Safari on macOS.
Recovering Gmail Inbox Content
Assuming the target is signed into Google on Safari for iOS, we recover the subject
lines of the Gmail account’s most recent messages on an iPad.
Recovering YouTube Watch History
We recover YouTube watch history from the Chrome browser for iOS, which is a shell on
top of Safari’s browsing engine due to Apple’s App Store policy.
The People
Behind iLeakage.
Frequently Asked Questions.
The Basics
Yes (with a very high chance), if you have a device running macOS or iOS with Apple’s
A-series or M-series CPUs. This includes all recent iPhones and iPads, as well as
Apple’s laptops and desktops from 2020 and onwards.
Code running in one web browser tab should be isolated and not be able to infer anything
about other tabs that a user has open. However, with iLeakage, malicious JavaScript and
WebAssembly can read the content of a target webpage when a target visits and clicks on
an attacker’s webpage. This content includes personal information, passwords, or credit
card information.
At the time of public release, Apple has implemented a mitigation for iLeakage
in Safari. However, this mitigation is not enabled by default, and enabling it
is possible only on macOS. Furthermore, it is marked as unstable.
We will keep this FAQ updated as Apple pushes more iOS and macOS updates.
If you wish to enable the mitigation on your Mac now, below are the steps:
If you have updated to macOS Sonoma:
- Open the Terminal app. You can find this in the Launchpad, or through Spotlight
search. - Copy and paste the following command (in magenta), and press the Return key to
run it:
defaults write com.apple.Safari IncludeInternalDebugMenu 1.
If you are on an earlier macOS version (macOS Ventura and earlier):
- We recommend enabling automatic updates and updating to macOS Sonoma. However,
if you wish to enable the mitigation on older macOS versions, follow these
steps: - First, download the version of Safari Technology Preview tht matches your macOS
version from Apple’s download page. - Double-click the downloaded installer with the
.pkgfile extension,
and follow its directions until Safari Technology Preview is installed. - Open the Terminal app. You can find this in the Launchpad, or through Spotlight
search. - Copy and paste the following command (in magenta), and press the Return key to
run it:
defaults write com.apple.SafariTechnologyPreview IncludeInternalDebugMenu 1.
This enables Safari’s hidden debugging menu. Then, follow these steps:
- Open Safari (or Safari Technology Preview). On the menu bar, you should see a
new entry named Debug.
- Click the Debug menu. This opens a long dropdown. Click on WebKit Internal
Features. - This opens another long dropdown to the side. Scroll down to the bottom of this
new dropdown, where you’ll find an entry called Swap Processes on Cross-Site
Window Open.
- Click this entry. A checkmark should appear to the left of it, like the
screenshot below.
Afterwards, you’re all set! To disable the mitigation, repeat steps 1-4 from above,
and the
