A new report has exposed two major security flaws in Apple’s in-house chipsets, putting millions of Mac, iPhone, and iPad users at risk. The vulnerabilities could allow hackers to extract sensitive user data, including credit card details and location history, through side-channel attacks. Security researchers have named these exploits FLOP and SLAP, which target Apple’s speculative execution technology.
How Side-Channel Attacks Extract Sensitive Data
Not all cyberattacks rely on software vulnerabilities. Some, like side-channel attacks, exploit physical and behavioral characteristics of hardware to extract confidential information. This can include analyzing a processor’s timing, power consumption, or even electromagnetic emissions.
In Apple’s case, the newly discovered flaws stem from speculative execution—a performance-enhancing feature that anticipates future commands and executes them preemptively. While this technique speeds up processing, it also creates unintended leaks that attackers can exploit.
FLOP and SLAP: The Two New Threats
Security researchers have identified two distinct attack methods: FLOP and SLAP. Both manipulate Apple’s chip design to steal private data from Safari and Chrome browsers.
- FLOP: This attack exploits Apple’s Load Value Predictor (LVP), which guesses memory contents before they are available. By deceiving the LVP, hackers can extract sensitive data like Google Maps location history, Proton Mail inbox contents, and iCloud Calendar events.
- SLAP: This method targets the Load Address Predictor (LAP), which predicts where instructions should fetch data from. SLAP can cause Safari to leak private information from one tab to another, meaning an attacker’s site could extract sensitive data from an open Gmail tab.
How FLOP and SLAP Compare
A closer look at these two exploits reveals that FLOP is significantly more dangerous than SLAP.
Attack Type | Affected Components | Targeted Applications | Severity Level |
---|---|---|---|
FLOP | Load Value Predictor (LVP) | Safari, Chrome | High – Can read any memory address in browser process |
SLAP | Load Address Predictor (LAP) | Safari only | Medium – Limited to reading adjacent webpage strings |
FLOP is particularly concerning because it works across multiple browsers and has unrestricted access to memory addresses within the browser’s process space. SLAP, on the other hand, only affects Safari and is restricted to data stored near the attacker’s own JavaScript strings.
Affected Devices: Who’s at Risk?
The vulnerabilities impact devices powered by Apple’s latest custom chipsets. These include:
- MacBooks: All models released from 2022 onwards
- Mac desktops: Devices launched from 2023 onwards
- iPad Pro: Models introduced from September 2021 onwards
This means anyone using an M2 or later MacBook, a newer Mac desktop, or a recent iPad Pro could be vulnerable. iPhones powered by A-series chips may also be affected, though the full scope of exposure is still under investigation.
Can These Attacks Be Mitigated?
While FLOP and SLAP are serious threats, they are not easy to execute. These attacks require:
- Direct access to a vulnerable Apple device
- Malicious code running within Safari or Chrome
- A method to bypass existing browser security protections
Apple has not yet commented on the findings, but security patches are likely in the works. In the meantime, users can take precautionary steps:
- Keep your software up to date: Install the latest macOS, iPadOS, and iOS updates as soon as they are available.
- Use private browsing mode: This may limit the effectiveness of side-channel attacks.
- Be cautious with website permissions: Avoid granting unnecessary permissions to unfamiliar websites.
Security researchers emphasize that while these vulnerabilities are concerning, they are not immediate threats to everyday users. However, their existence highlights the growing risks associated with speculative execution, a feature that has already led to multiple security flaws across the industry.