Researchers from the Georgia Institute of Technology have discovered a vulnerability on all newer Apple devices, including iPhones.
Discovered security in iPhones and Macs
Due to the leak, malicious parties can carry out attacks where data from other browser windows or tob leaves are stolen. For example, your location data on a Google Maps tab is visible, but bank details and login details are potential purposes.
Most modern browsers use a ‘sandbox’, so that a browser window has no access to data from other windows. The vulnerability on iPhones and Macs uses functions of the latest Apple processors to bypass this sandbox. In fact, they are two security leaks, called limp and flop.
Weak and flop
Safe Sleep (Speculationattacks via Load Address Prediction) uses a function of the M2 and A15 processors to collect data from other browser windows. Slap works in Safari. Flop (False Load Output Predictions) tries to mislead the same function and can then perform (malignant) code. Flop works in Safari and Chrome.
Which Apple devices are at risk?
According to the researchers, the following Apple devices are equipped with the hardware that is needed to perform the vulnerability on iPhones and Macs:
- All MacBooks from 2022 (MacBook Air, MacBook Pro)
- All Macs from 2023 (Mac Mini, iMac, Mac Studio, Mac Pro)
- All iPad Pros, Airs and Minis from September 2021 (iPad Pro 6 and 7, iPad Air 6 and iPad Mini 6)
- All iPhones from September 2021 (iPhone 13, 14, 15 and 16, iPhone SE 3)
There were already security problems in various Apple products. One of these errors, called CVE-2025-24085, was a so-called Zero-Day bug in the Coremedia function. As a result, a malignant app already installed could have access to a higher level than should. Apple has this problem dissolved With the iOS 18.3 update. It remains important to install Apple software updates as quickly as possible!
Safety vessel iPhones and Macs have not yet been resolved
Apple will certainly solve the security leaks, but it seems to take a while. The researchers already reported weak on 24 May 2024 to Apple and Flop on 3 September 2024. Apple now has against the website Bleeping computer said:
We want to thank the researchers for their collaboration as this proof of concept advances Our Understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users.
(We want to thank the researchers for their cooperation because this proof of concept increases our insight into such threats. Based on our analysis, we do not believe that this problem is a direct risk for our users.)
On the Weak and flop website You can find out more about the safety leaks on iPhones and Macs that the researchers at the Georgia Institute of Technology have set up. For example, you can also see test demonstrations in action.
Download the iPhoned app
