A security flaw in Apple’s processors could allow cybercriminals to steal your private data simply by tricking you into visiting a website.
Security researchers have uncovered vulnerabilities in modern Apple CPUs that could let hackers extract sensitive information directly from your web browser. These attacks, known as FLOP and SLAP, exploit Apple’s speculative execution—a feature designed to speed up processing—causing the CPU to reveal confidential data before correcting itself.
This means that just by opening the wrong website, your Gmail inbox, Amazon order history, Google Maps location, or even your iCloud calendar events could be exposed to cybercriminals. Even worse, these attacks can happen remotely without requiring any downloads, malware, or physical access to your device.
Apple has acknowledged these vulnerabilities but has yet to release a fix. While the company claims these flaws do not pose an immediate risk, history has shown that cybercriminals are often quick to exploit many weaknesses.
How These Attacks Affect Everyday Users
Unlike typical cyber threats, which rely on malware or phishing, these side-channel attacks exploit how Apple’s processors predict and handle data. Hackers can use JavaScript on a malicious webpage to manipulate the CPU’s behavior and extract sensitive information before the system corrects itself.
For home users, this poses serious risks. Personal data, including emails, shopping history, and private calendar events, could be accessed without the user’s knowledge. The threat of identity theft also increases, as exposed information can be used to impersonate victims or gain access to other accounts.
What makes these attacks particularly concerning is that they do not rely on traditional malware. Unlike phishing scams or viruses that require clicking suspicious links or downloading malicious files, simply visiting a compromised website can be enough for an attack to occur.
To make matters worse, traditional antivirus software offers little protection against these threats since they exploit CPU behavior rather than installing malicious code, making them far more challenging to detect and mitigate.
How You Can Protect Yourself
While we wait for Apple to release security patches, you can take proactive steps to reduce the risks associated with these vulnerabilities. Here are some key steps you can take:
1. Consider Disabling JavaScript For Untrusted Websites
The FLOP and SLAP attacks rely on JavaScript running in your web browser. Temporarily disabling JavaScript in Safari or Chrome can help mitigate the risk. However, be aware that many websites rely on JavaScript for functionality, so this might impact your browsing experience.
- In Safari: Open Settings > Safari > Advanced, then disable JavaScript. (Note: This may break some website functionality.)
- In Chrome: Use extensions like NoScript or uBlock Origin to selectively block JavaScript on untrusted sites.
2. Keep Your Browser And Operating System Updated
Make sure you:
- Regularly update macOS and iOS by enabling automatic updates.
- Keep Safari and Chrome updated to their latest versions, as browser vendors may introduce mitigations before Apple releases a CPU-level fix.
3. Use A Privacy-Focused Browser
Browsers like Brave, DuckDuckGo, and Firefox focus on privacy and security, providing additional layers of protection against tracking and browser-based attacks.
4. Enable Strict Privacy And Security Settings
Enhance your browser security by:
- Blocking third-party cookies.
- Using private browsing mode to limit data exposure.
- Enabling enhanced tracking protection (available in Firefox and Brave).
5. Be Cautious With Unknown Websites
Avoid visiting unknown or suspicious websites, especially those promising free downloads, giveaways, or exclusive content. Cybercriminals often set up fake sites to exploit browser vulnerabilities.
6. Consider Using An Ad Blocker
Malicious ads (malvertising) can be used to execute these attacks even on legitimate websites. Install a reputable ad blocker like uBlock Origin or AdGuard to prevent malicious scripts from running in your browser.
7. Avoid Using Public Wi-Fi For Sensitive Browsing
Since these attacks can be executed remotely, browsing sensitive accounts (like banking, emails, or health records) on public Wi-Fi could increase exposure. If necessary, use a VPN to encrypt your connection.
8. Monitor Apple’s Security Updates
Follow Apple’s security page and subscribe to cybersecurity news sources. In cybersecurity, awareness is your best defense. Stay informed, stay secure.
