Hackers Gain Access to Gmail on All 2020 or Later iPhones And Macs

Security researchers working in partnership with the U.S. Air Force Office of Scientific Research and the Defense Advanced Research Projects Agency have exposed how hackers can gain access to your Gmail inbox and other sensitive data from Apple devices running iOS, iPadOS, and macOS. The side-channel attack known as iLeakage can be deployed beginning in 2020 using A or M series CPUs on Apple devices running Safari web browsers, specifically any browser on an iPhone or iPad.

What Is the iLeakage Exploit? In 2018, researchers at the Georgia Institute of Technology, the University of Michigan, and Ruhr University in Germany discovered the Spectre speculative execution attack iLeakage exploit. This exploit uses similar tactics as those found in Safari for macOS devices to compromise any browser running on iPhones and iPads that utilizes Apple’s WebKit engine underneath their hoods.

Researchers published their paper, entitled iLeakage browser-based Timerless Attacks on Speculative Execution Apple Devices, detailing how this vulnerability could be exploited by hackers. An attacker could exploit it by forcing Safari or any browser using WebKit to render a random webpage; “[we demonstrate how] Safari enables malicious websites to recover secrets from popular high-value targets by rendering random webpages,” reveal Gmail inbox content while simultaneously discovering passwords automatically filled by password managers; however, their vulnerability doesn’t end here; “we demonstrate how Safari allows malicious websites that allow them to recover secrets from popular high-value targets by rendering random pages.”

How an iLeakage Attack Could Read Your iPhone Gmail Inbox

The paper details that when targeting Gmail, one of the world’s best-known email services with billions of customers worldwide, an attacker would likely gain entry through their personal Google account and log onto it through any available device, with or without encryption enabled. By setting an event listener inside an attacker page to execute window.open(gmail.com), researchers explain, they could “consolidate the target’s inbox view into the attacker address space before releasing what’s inside theirs—updating this post when we hear back from Google when their response becomes available.” I asked Google about this and will update this post as soon as we hear back from them!

According to a research team, Apple was made aware of the iLeakage exploit on September 12, 2022, and currently, their only solution is Safari for Macs.

Find more details in the ILeakage FAQ. Unfortunately, no mitigation solution exists that works across both platforms right now.

However, an Apple spokesperson advised me that this proof-of-concept improves awareness of potential hazards. They acknowledge this issue and may address it in future software updates.’

Are attackers exploiting iLeakage? mes Fortunately, it appears iLeakage exploits have not been utilized widely on an open basis, which researchers attribute to their complexity as being “significantly difficult” and requiring extensive knowledge of browser-based side channel attacks and Safari implementation. Furthermore, as this malicious web page runs within Safari, it doesn’t leave any trace within system log files, though possibly within the browser cache depending on browser settings, thus making discovery “highly unlikely”.

Leave a Reply

Your email address will not be published. Required fields are marked *