Apple Vulnerabilities Could Endanger Your Crypto – One Is Not Patchable
KEY TAKEAWAYS
- Apple reported a vulnerability that opens up users to data theft in the browser, including passwords and potentially crypto.
- The latest iOS updates should fix this vulnerability, so it's imperative for users to update their devices, Macs, and mobile phones.
- JavaScriptCore and WebKit services are the root cause of the vulnerability, and Apple said they've already been exploited by hackers.
- Apple's M1, M2, and M3 Mac chips remain vulnerable to data theft, including crypto wallet-sensitive data, as the vulnerability is on the hardware.
On Monday, Apple confirmed an iOS vulnerability that could result in massive crypto theft.
An attacker could inject malicious code through JavaScript (web-based attack), which opens the way to a cross-site scripting attack.
More importantly, the flaw was already discovered and misused by hackers.
Apple is aware of a report that this issue may have been exploited on Intel-based MAC systems.
- Apple
This is further compounded by a March report that Apple's last-gen chips (M1, M2, and M3 series) are vulnerable to cryptographic key theft.
Let's see what this means for Apple users.
Root Cause of the Vulnerability - WebKit & JavaScriptApple's analysis of the vulnerability narrows down the problem to two things:
1. Web-based arbitrary code execution through JavaScriptCore. This was exploited on Intel-based Mac systems.
2. Cross site scripting attacks through WebKit, similarly exploited on Intel-based Mac systems.
Both issues have been addressed in the latest update, as Changpeng Zhao (Binance CEO) notified on X.
If you haven't updated your Intel-based Macbook, do it now. You need the latest version of WebKit and JavaScriptCore to patch this vulnerability.
Otherwise, your crypto assets may be at risk.
Apple issued a similar vulnerability report for iOS 18.1.1 and iPadOS 18.1.1. JavaScripCore and WebKit were also the culprits.
As for the solution, an OS update should' solve the issue.
Free Access to Browser Passwords & Crypto KeysThat's right, this vulnerability allowed hackers to see any sensitive data stored in your browser. This includes crypto wallet private keys.
[...] attackers could access sensitive data like private keys or passwords.
This is further aggravated by a March report from Apple saying that the M1, M2, and M3 chips are also vulnerable.
A different kind of vulnerability, mind you.
Hackers can steal cryptographic keys through a prefetching' exploit, which accesses data stored in the processor and then builds a cryptographic key that should be private.
The problem is that this is a chip-level vulnerability and, thus, not patchable through software updates.
Apple... Just Why?The good news is that if you use a current-gen Apple chip, you're safe. The latest software updates removed the vulnerability, so your crypto and passwords are secure.
The bad (or horrible) news is that M1, M2, and M3 chip users are still open to the prefetching exploit. But only if you install malware on your device.
The only solution is to move your crypto wallets to other devices, like a Windows PC. Not ideal, but apparently necessary.
ReferencesClick to expand and view references- Cross-Site Scripting (BlackDuck)
- About the security content of macOS Sequoia 15.1.1 (Apple)
- Apple Macs Have a Fatal Flaw That Lets Hackers Steal Your Crypto-And There's No Fix (Decrypt)
- Changpeng Zhao X Post About Apple Vulnerability (X)
- About the security content of iOS 18.1.1 and iPadOS 18.1.1 (Apple)
- Apple Admits to Security Vulnerability That Leaves Crypto Users Exposed-Here's What You Should Do (Decrypt)
- Apple Chip Exploit That Steals Crypto? Here's What You Need to Know (Apple)
- Unpatchable vulnerability in Apple chip leaks secret encryption keys (Ars Technica)
The post Apple Vulnerabilities Could Endanger Your Crypto - One Is Not Patchable appeared first on Techreport.