Written by 
Recent findings by security researchers have unearthed vulnerabilities in Apple devices equipped with M2 and A15 chips and newer models. This includes a range of gadgets such as iPhones, iPads, MacBook laptops, and Mac desktops. The identified flaws, named SLAP and FLOP, were initially highlighted by Bleeping Computer, and may enable cybercriminals to extract data from a user’s active web tabs. Depending on the open tabs, this could expose private information such as passwords and banking details.
These vulnerabilities stem from a hardware issue rather than being a software-related concern. They impact the CPUs, making them susceptible to side-channel attacks. Such exploits analyze CPU performance, leveraging variables like power use, timing, and auditory cues to glean details about user activity—much like the Spectre and Meltdown weaknesses uncovered back in 2018.
While these revelations are complex, the key takeaway is that they open the door for attackers to access sensitive information even when it’s well-protected by software. This is not solely an Apple issue; rather, it’s linked to a performance enhancement technique that most modern CPUs incorporate.
At its core, computer programming involves a sequence of instructions for the CPU to follow, which branch out into numerous possible outcomes. For instance, scenarios can be set as “if A occurs, execute X; if B happens, proceed with Y.” As programs grow, they handle a myriad of decisions to drive functionality.
To increase operational speed, it has become commonplace to predict which path a CPU should pursue and begin executing instructions preemptively. This method allows multiple tasks to progress simultaneously instead of waiting sequentially.
This optimization technique, known as speculative execution or branch prediction, is based on anticipatory logic, which can sometimes lead to errors. When these predictions fail, the resulting vulnerabilities can be exploited by attackers.
The complete titles for these vulnerabilities are “Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP)” and “Breaking the Apple M3 CPU via False Load Output Predictions (FLOP).” While both flaws essentially produce the same outcome, SLAP is confined to the Safari browser, whereas FLOP is also applicable to Chrome.
The research provides evidence that attacks utilizing these vulnerabilities are feasible, although there is currently no information suggesting that they have been exploited by hackers. The researchers disclosed their findings to Apple last year, which acknowledged receipt and mentioned intentions to resolve the vulnerabilities. However, since the papers’ publication, Apple has only issued a single statement, saying:
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
While these attacks don’t rely on malware, they typically initiate from visits to malicious websites. Thus, a prudent approach is to exercise caution with suspicious links and URLs until security patches are rolled out.