Overview

• SLAP and FLOP are two new side-channel attacks targeting Apple Silicon processors, affecting devices like MacBooks, iPhones, and iPads released since 2021.
• These vulnerabilities exploit speculative execution mechanisms in Apple's Load Address Predictor (LAP) and Load Value Predictor (LVP) to extract sensitive data from browser tabs.
• SLAP enables malicious webpages in Safari to access data from other open tabs, such as Gmail inbox content and Amazon purchase history.
• FLOP affects both Safari and Chrome, allowing attackers to retrieve personal data like location history, credit card details, and iCloud Calendar events.
• Researchers have proposed mitigations, including enabling the Data Independent Timing (DIT) bit, but Apple has stated it does not believe these flaws pose an immediate risk to users.