SLAP and FLOP browser vulnerabilities threaten nearly every Apple device since 2021

Fresh off the fix of a zero-day vulnerability in iPhones, iPads, Macs, and other devices, security researchers at the Georgia Institute of Technology have revealed a pair of vulnerabilities that affect all of Apple’s modern devices.

First reported at BleepingComputer, these are side-channel attacks that can use special code on websites to allow websites to execute “side-channel” attacks that steal data from other web sessions. A malicious site could, for example, see your location data from a Google Maps tab, or unencrypted email from an open browser tab that is logged in to your secure email account. Banking info, login info, purchase history—there are lots of potential targets.

Most modern browsers “sandbox” web sessions, so that one browser tab or window can’t access the data from other tabs/windows. The SLAP and FLOP vulnerabilities exploit features of the latest Apple processors to get around this sandboxing.

What is SLAP?

The M2 and A15 generation of processors (and later) have a feature called Load Address Prediction (LAP), which it tries to predict the memory address of the next memory request in order to prefetch it and speed things up. SLAP (Speculation Attacks via Load Address Prediction) first falsely “trains” that predictive algorithm and then uses that the pull targeted data from other browser processes.

SLAP seems to work only in Safari.

What is FLOP?

Starting with the M3/A17 generation of processors, Apple goes a step further than loading data from predicted memory addresses. They have a feature called Load Value Predictor (LVP), which guesses what the value will be from a memory request. It’s all to help the processor run faster by not having to wait around for data to come from memory.

FLOP (False Load Output Predictions) issues instructions that return the same values all the time to “trick” the predictor into expecting a certain value even when the data has changed, and that lets them execute code on “incorrect” data values.

FLOP works in Safari and Chrome.

Which Apple devices are affected?

The researchers say the following Apple devices have the hardware necessary to execute these flaws.

• All Mac laptops from 2022-present (MacBook Air, MacBook Pro)
• All Mac desktops from 2023-present (Mac Mini, iMac, Mac Studio, Mac Pro)
• All iPad Pro, Air, and Mini models from September 2021-present (6th- and 7th-gen iPad Pro, 6th-gen iPad Air, 6th-gen iPad Mini)
• All iPhones from September 2021-present (iPhone 13, 14, 15, and 16 models, 3rd-gen iPhone SE)

Should I be worried?

The Georgia Institute of Technology researchers say there is no evidence that either SLAP or FLOP has been used in the wild. Similarly, Apple told BleepingComputer, “Based on our analysis, we do not believe this issue poses an immediate risk to our users.”

Is Apple fixing these flaws?

Yes, but it appears to be taking some time. The researchers disclosed SLAP to Apple on May 24, 2024, and FLOP on September 3, 2024. Apple has released numerous updates since that time without fixing the issue here.

You can read more about these exploits and see test demonstrations of them in action at the SLAP and FLOP site set up by the Georgia Institute of Technology researchers.