Security researchers have discovered two flaws present in all current iPhones, iPads, and Macs – as well as many earlier ones. The vulnerabilities, known as SLAP and FLOP, could potentially allow an attacker to see the current contents of your open web tabs.
The flaws were introduced in the A15 and M2 chips, and are also found in subsequent ones, up to and including the latest version of each device …
What are SLAP and FLOP?
SLAP (Speculation Attacks via Load Address Prediction) and FLOP (False Load Output Predictions) were discovered by security researchers at the Georgia Institute of Technology. They work in the same way as Spectre and Meltdown.
All these vulnerabilities stem from an approach used by Apple and other chip designers to speed up processing times. Known as speculative execution, the idea is that the chip tries to anticipate likely future commands, and to pre-emptively load the data required to execute them.
If an attacker can inject malformed data into these processes, then it can read memory content that shouldn’t be accessible.
What are the vulnerabilities?
In Safari, each tab should be sandboxed. That is, a website open in one tab cannot access data from another website open in another tab.
With SLAP, if an attacker can fool you into visiting a compromised website, they can then access data from any other Safari tab you have open. For example, it could read your emails, see your location in Apple Maps, see your banking details, and so on.
FLOP can do the same thing, but is more powerful, working with Chrome as well as Safari.
No malware is required on your Mac – the attacks are carried out using flaws in Apple’s own code, and there is very little chance of detecting that an attack is in progress.
Which devices are vulnerable?
Any Apple device with an A15 or later, as well as those with an M2 or later. The researchers confirmed that the following devices are vulnerable:
iPhone:
- iPhone 13
- iPhone 14
- iPhone 15
- iPhone 16
- 3rd-gen iPhone SE
iPad:
- iPad Air models from 2021 onwards
- iPad Pro models from 2021 onwards
- iPad mini models from 2021 onwards
Mac:
- MacBook Air models from 2022 onwards
- MacBook Pro models from 2022 onwards
- Mac mini models from 2023 onwards
- Mac Studio models from 2023 onwards
- iMac models from 2023 onwards
- Mac Pro (2023)
What’s the real-world risk?
The researchers say there is no evidence that either vulnerability has yet been exploited in the wild.
Apple has been working for some time on fixing both flaws since the company was first notified – in May 2024 for SLAP, and in September 2024 for FLOP.
The company issued a brief statement to Bleeping Computer:
Based on our analysis, we do not believe this issue poses an immediate risk to our users.
There’s currently no precaution you can take beyond the usual one of exercising care in the websites you visit.
Image: 9to5Mac collage using photo from Apple
FTC: We use income earning auto affiliate links. More.
