Apple's in-house chips have security flaws that could expose your Gmail inbox to attackers

Several Apple devices launched after 2021 are reportedly affected by two newly discovered vulnerabilities in Apple’s A- and M-series chips. These vulnerabilities can potentially give attackers unauthorized remote access to sensitive user data, including credit card information, location, events, and emails, while browsing websites like iCloud Calendar, Gmail, Google Maps, and Proton Mail in Chrome and Safari browsers.

According to researchers from the Georgia Institute of Technology and Ruhr University Bochum (via Ars Technica), the vulnerabilities affect CPUs in later generations of Apple’s in-house silicon, opening them up to side-channel attacks: “a class of exploits that infers secrets by measuring manifestations such as timing, sound, and power consumption.” Proof-of-concept demos shared by the researchers show how the vulnerabilities can potentially be exploited using FLOP and SLAP side-channel attacks to steal location history from Google Maps, view events stored in iCloud Calendar, view inbox contents from Gmail and Proton Mail, and even read email contents.

The following Apple devices are reportedly vulnerable to one or both of the attacks mentioned above:

• All Macbooks Air and MacBook Pro models from 2022-present
• All Mac Mini, iMac, Mac Studio, and Mac Pro models from 2023-present
• All iPad Pro, Air, and Mini models from September 2021-present
• All iPhone models from September 2021-present

The researchers have informed Apple of the vulnerabilities and published a list of mitigations that could plug the security loopholes. Although Apple says the vulnerabilities do not pose “an immediate risk to our users,” the company has privately told the researchers that it plans to release patches soon.