Researchers Uncover Major Flaws in Apple Silicon Allowing Browser Data Leaks

Newly identified SLAP and FLOP attacks exploit speculative execution in Apple chips to access sensitive data in Safari and Chrome.

SLAP and FLOP are two new side-channel attacks targeting Apple Silicon processors, affecting devices like MacBooks, iPhones, and iPads released since 2021.
These vulnerabilities exploit speculative execution mechanisms in Apple's Load Address Predictor (LAP) and Load Value Predictor (LVP) to extract sensitive data from browser tabs.
SLAP enables malicious webpages in Safari to access data from other open tabs, such as Gmail inbox content and Amazon purchase history.
FLOP affects both Safari and Chrome, allowing attackers to retrieve personal data like location history, credit card details, and iCloud Calendar events.
Researchers have proposed mitigations, including enabling the Data Independent Timing (DIT) bit, but Apple has stated it does not believe these flaws pose an immediate risk to users.