The company confirmed on Monday that its devices are affected by a flaw enabling remote execution of malicious code through web-based JavaScript. This vulnerability opens an attack vector that could lead to the theft of crypto-related data from unsuspecting users.
According to Apple’s latest security disclosure, users must update their JavaScriptCore and WebKit software to the latest versions to patch the issue. Discovered by researchers at Google’s Threat Analysis Group, the vulnerability allows “processing maliciously crafted web content,” resulting in “cross-site scripting attacks.” Alarmingly, Apple also admitted that the issue “may have been actively exploited on Intel-based Mac systems.”
Apple issued a similar security disclosure for iPhone and iPad users, stating that the JavaScriptCore flaw enables the “processing of maliciously crafted web content, which may lead to arbitrary code execution.” In other words, hackers could potentially take control of users’ iPhones or iPads if they visit malicious sites. Apple assured users that updates should resolve the issue.
Jeremiah O’Connor, CTO and co-founder of crypto cybersecurity firm Trugard, warned that “attackers could gain access to sensitive data like private keys or passwords stored in browsers,” potentially stealing crypto assets if users’ devices remain unpatched.
Earlier in March, reports emerged that security researchers had found vulnerabilities in Apple’s previous-generation chips (M1, M2, and M3 series). These flaws could allow hackers to extract cryptographic keys.
The vulnerability exploits a technique called “prefetching,” a feature in Apple’s M-series chips designed to speed up interactions with the company’s devices. Prefetching can store sensitive data in the processor’s cache, enabling attackers to retrieve this information to reconstruct cryptographic keys that should remain inaccessible.
Unfortunately, according to Ars Technica, this presents a significant issue for Apple users, as chip-level vulnerabilities cannot be fixed through software updates.