Apple Vulnerabilities Could Endanger Your Crypto – One Is Not Patchable
KEY TAKEAWAYS
- Apple reported a vulnerability that opens up users to data theft in the browser, including passwords and potentially crypto.
- The latest iOS updates should fix this vulnerability, so it’s imperative for users to update their devices, Macs, and mobile phones.
- JavaScriptCore and WebKit services are the root cause of the vulnerability, and Apple said they’ve already been exploited by hackers.
- Apple’s M1, M2, and M3 Mac chips remain vulnerable to data theft, including crypto wallet-sensitive data, as the vulnerability is on the hardware.
On Monday, Apple confirmed an iOS vulnerability that could result in massive crypto theft.
An attacker could inject malicious code through JavaScript (web-based attack), which opens the way to a cross-site scripting attack.
More importantly, the flaw was already discovered and misused by hackers.
Apple is aware of a report that this issue may have been exploited on Intel-based MAC systems.
– Apple
This is further compounded by a March report that Apple’s last-gen chips (M1, M2, and M3 series) are vulnerable to cryptographic key theft.
Let’s see what this means for Apple users.
Root Cause of the Vulnerability – WebKit & JavaScript
Apple’s analysis of the vulnerability narrows down the problem to two things:
1. Web-based arbitrary code execution through JavaScriptCore. This was exploited on Intel-based Mac systems.
2. Cross site scripting attacks through WebKit, similarly exploited on Intel-based Mac systems.
Both issues have been addressed in the latest update, as Changpeng Zhao (Binance CEO) notified on X.
If you haven’t updated your Intel-based Macbook, do it now. You need the latest version of WebKit and JavaScriptCore to patch this vulnerability.
Otherwise, your crypto assets may be at risk.
Apple issued a similar vulnerability report for iOS 18.1.1 and iPadOS 18.1.1. JavaScripCore and WebKit were also the culprits.
As for the solution, an OS update ‘should’ solve the issue.
Free Access to Browser Passwords & Crypto Keys
That’s right, this vulnerability allowed hackers to see any sensitive data stored in your browser. This includes crypto wallet private keys.
[…] attackers could access sensitive data like private keys or passwords.
– Jeremiah O’Connor, Trugard CTO and Co-Founder
This is further aggravated by a March report from Apple saying that the M1, M2, and M3 chips are also vulnerable.
A different kind of vulnerability, mind you.
Hackers can steal cryptographic keys through a ‘prefetching’ exploit, which accesses data stored in the processor and then builds a cryptographic key that should be private.
The problem is that this is a chip-level vulnerability and, thus, not patchable through software updates.
Apple… Just Why?
The good news is that if you use a current-gen Apple chip, you’re safe. The latest software updates removed the vulnerability, so your crypto and passwords are secure.
The bad (or horrible) news is that M1, M2, and M3 chip users are still open to the prefetching exploit. But only if you install malware on your device.
The only solution is to move your crypto wallets to other devices, like a Windows PC. Not ideal, but apparently necessary.
References
Add Techreport to Your Google News Feed
Get the latest updates, trends, and insights delivered straight to your fingertips. Subscribe now!
Subscribe now
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.