KEY TAKEAWAYS
- Apple reported a vulnerability that opens up users to data theft in the browser, including passwords and potentially crypto.
- The latest iOS updates should fix this vulnerability, so it’s imperative for users to update their devices, Macs, and mobile phones.
- JavaScriptCore and WebKit services are the root cause of the vulnerability, and Apple said they’ve already been exploited by hackers.
- Apple’s M1, M2, and M3 Mac chips remain vulnerable to data theft, including crypto wallet-sensitive data, as the vulnerability is on the hardware.
On Monday, Apple confirmed an iOS vulnerability that could result in massive crypto theft.
An attacker could inject malicious code through JavaScript (web-based attack), which opens the way to a cross-site scripting attack.
More importantly, the flaw was already discovered and misused by hackers.
Apple is aware of a report that this issue may have been exploited on Intel-based MAC systems.
– Apple
This is further compounded by a March report that Apple’s last-gen chips (M1, M2, and M3 series) are vulnerable to cryptographic key theft.
Let’s see what this means for Apple users.
Root Cause of the Vulnerability – WebKit & JavaScript
Apple’s analysis of the vulnerability narrows down the problem to two things:
1. Web-based arbitrary code execution through JavaScriptCore. This was exploited on Intel-based Mac systems.
2. Cross site scripting attacks through WebKit, similarly exploited on Intel-based Mac systems.
Both issues have been addressed in the latest update, as Changpeng Zhao (Binance CEO) notified on X.
If you haven’t updated your Intel-based Macbook, do it now. You need the latest version of WebKit and JavaScriptCore to patch this vulnerability.
Otherwise, your crypto assets may be at risk.
Apple issued a similar vulnerability report for iOS 18.1.1 and iPadOS 18.1.1. JavaScripCore and WebKit were also the culprits.
As for the solution, an OS update ‘should’ solve the issue.
Free Access to Browser Passwords & Crypto Keys
That’s right, this vulnerability allowed hackers to see any sensitive data stored in your browser. This includes crypto wallet private keys.
[…] attackers could access sensitive data like private keys or passwords.
– Jeremiah O’Connor, Trugard CTO and Co-Founder
This is further aggravated by a March report from Apple saying that the M1, M2, and M3 chips are also vulnerable.
A different kind of vulnerability, mind you.
Hackers can steal cryptographic keys through a ‘prefetching’ exploit, which accesses data stored in the processor and then builds a cryptographic key that should be private.
The problem is that this is a chip-level vulnerability and, thus, not patchable through software updates.
Apple… Just Why?
The good news is that if you use a current-gen Apple chip, you’re safe. The latest software updates removed the vulnerability, so your crypto and passwords are secure.
The bad (or horrible) news is that M1, M2, and M3 chip users are still open to the prefetching exploit. But only if you install malware on your device.
The only solution is to move your crypto wallets to other devices, like a Windows PC. Not ideal, but apparently necessary.
References
Click to expand and view references
Add Techreport to Your Google News Feed
Get the latest updates, trends, and insights delivered straight to your fingertips. Subscribe now!
Subscribe now
Alex is a junior crypto editor passionate about data privacy, cybersecurity, and crypto. You’ll often find him geeking out on the latest security key, password manager, or the hottest crypto presale, looking for that one digital currency to rule them all. With over six years of freelance writing under his belt, Alex fell in love with the process.
From researching data and brainstorming topics to comparing cryptocurrency whitepapers and digging deep into crypto roadmaps, it’s all in the keyboard. Ideally, a mechanical one with brown switches.
Alex is an eternal learner who knows that continuous improvement is the best way to remain relevant. Currently, he’s brushing up his E-E-A-T and SEO skills, but who knows what comes next? In his spare time, he enjoys video games, horror movies, and going to the gym, which sometimes conflicts with his gourmand nature.
Oh, well, you can’t have them all.
Follow Alex on LinkedIn
View all articles by Alex Popa
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.