Security experts have identified two vulnerabilities affecting all modern iPhones, iPads, and Macs, as well as several older models. Named SLAP and FLOP, these flaws could enable an attacker to view the contents of your active web tabs.
These vulnerabilities were first introduced with the A15 and M2 chipsets, and they persist in subsequent models including the latest releases.
What are SLAP and FLOP?
SLAP (Speculation Attacks via Load Address Prediction) and FLOP (False Load Output Predictions) are vulnerabilities identified by researchers from the Georgia Institute of Technology. Their operation is similar to that of the Spectre and Meltdown exploits.
These vulnerabilities arise from a strategy employed by Apple and other chip manufacturers to enhance processing speeds, known as speculative execution, which allows the chip to anticipate likely future commands and pre-load necessary data.
If an attacker manages to inject erroneous data into these execution processes, they could access memory contents that should remain secure.
What are the vulnerabilities?
In Safari, each tab is designed to be isolated, meaning a website in one tab should not be able to access information from a different tab.
With SLAP, an attacker could trick you into visiting a malicious site, allowing them to retrieve data from any other open Safari tab. This could include sensitive information such as emails, your location in Apple Maps, or banking details.
FLOP functions in a similar way but is more sophisticated, operating with both Safari and Chrome browsers.
No malware is necessary on your Mac for these attacks to occur; they exploit flaws in Apple’s own software, making them difficult to detect.
Which devices are vulnerable?
Devices that utilize an A15 chip or later, or an M2 chip or later, are susceptible. Confirmed vulnerable devices include:
iPhone:
- iPhone 13
- iPhone 14
- iPhone 15
- iPhone 16
- 3rd-generation iPhone SE
iPad:
- iPad Air models from 2021 onwards
- iPad Pro models from 2021 onwards
- iPad mini models from 2021 onwards
Mac:
- MacBook Air models from 2022 onwards
- MacBook Pro models from 2022 onwards
- Mac mini models from 2023 onwards
- Mac Studio models from 2023 onwards
- iMac models from 2023 onwards
- Mac Pro (2023)
What’s the real-world risk?
According to researchers, there is currently no evidence that these vulnerabilities have been leveraged in real-world attacks.
Apple has been actively working on solutions for these vulnerabilities since being notified—SLAP in May 2024 and FLOP in September 2024.
The company provided a brief comment to Bleeping Computer:
Based on our analysis, we do not believe this issue poses an immediate risk to our users.
Presently, the best precaution is to exercise discretion in the websites you visit.
Image: DMN collage using a photo from Apple
FTC: We utilize affiliate links that generate income. More.
