SLAP and FLOP security flaws affect all current Apple devices, and many older ones – 9to5Mac
Security researchers have discovered two flaws present in all current iPhones, iPads, and Macs – as well as many earlier ones. The vulnerabilities, known as SLAP and FLOP, could potentially allow an attacker to see the current contents of your open web tabs.The flaws were introduced in the A15 and M2 chips, and are also found in subsequent ones, up to and including the latest version of each device … SLAP (Speculation Attacks via Load Address Prediction) and FLOP (False Load Output Predictions) were discovered by security researchers at the Georgia Institute of Technology. They work in the same way as Spectre and Meltdown. All these vulnerabilities stem from an approach used by Apple and other chip designers to speed up processing times. Known as speculative execution, the idea is that the chip tries to anticipate likely future commands, and to pre-emptively load the data required to execute them. If an attacker can inject malformed data into these processes, then it can read memory content that shouldn’t be accessible.In Safari, each tab should be sandboxed. That is, a website open in one tab cannot access data from another website open in another tab. With SLAP, if an attacker can fool you into visiting a compromised website, they can then access data from any other Safari tab you have open. For example, it could read your emails, see your location in Apple Maps, see your banking details, and so on.FLOP can do the same thing, but is more powerful, working with Chrome as well as Safari. No malware is required on your Mac – the attacks are carried out using flaws in Apple’s own code, and there is very little chance of detecting that an attack is in progress.Any Apple device with an A15 or later, as well as those with an M2 or later. The researchers confirmed that the following devices are vulnerable:The researchers say there is no evidence that either vulnerability has yet been exploited in the wild.Apple has been working for some time on fixing both flaws since the company was first notified – in May 2024 for SLAP, and in September 2024 for FLOP.The company issued a brief statement to Bleeping Computer:Based on our analysis, we do not believe this issue poses an immediate risk to our users.There’s currently no precaution you can take beyond the usual one of exercising care in the websites you visit.Image: 9to5Mac collage using photo from AppleFTC: We use income earning auto affiliate links. More.Check out 9to5Mac on YouTube for more Apple news:Apple’s tablet debuted in 2010. Since the origin…Apple’s Mac lineup consists of MacBook, MacBoo…Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!Manage push notifications
