Apple's browser does not provide sufficient protection  [30.10.23]

Apple's Safari browser can be used to obtain sensitive information from Apple devices under certain circumstances. The attack, called "iLeakage", makes it possible to bypass existing protections against side-channel attacks in Safari.

In order for personal data to be obtained, it must either be entered on the open page (in the case of login data, this could also be done automatically by a password manager), or the page must be recognized by means of cookie data and display personalized content, for example, or it must be a website in an internal network whose URL is known to attackers and which contains sensitive data.

As a general rule, users should always go directly to websites where they log in and not log in to windows/tabs that have been opened by other websites. Users should also log out of the web browser after using an online service and delete cookies regularly. Disabling JavaScript in the web browser also prevents the vulnerability from being exploited.

The attack abuses shortcomings in Safari's JavaScript engine. Therefore, other web browsers on macOS are not vulnerable to iLeakage. On iOS and iPadOS, web browsers rely on Safari for technical reasons. Therefore, these browsers are also vulnerable under Apple mobile operating systems.

It can therefore be assumed that a patch for Safari under macOS and also under iOS/iPadOS will be made available by Apple shortly.

If you have any questions, please contact the Information Security staff unit.

Back to All news