# Grasping SLAP and FLOP: New Vulnerabilities Impacting Apple Devices
Recent findings by cybersecurity experts at the Georgia Institute of Technology have revealed two noteworthy vulnerabilities—SLAP (Speculation Attacks via Load Address Prediction) and FLOP (False Load Output Predictions)—that target all current iPhones, iPads, and Macs, in addition to several earlier models. These vulnerabilities may enable attackers to access contents of open web tabs, presenting a significant threat to user privacy and security.
## What Are SLAP and FLOP?
SLAP and FLOP are vulnerabilities that take advantage of the speculative execution strategies utilized by modern processors, including Apple’s A15 and M2 chips, as well as their successors. Speculative execution serves as a performance enhancement method where the processor predicts forthcoming commands and proactively loads the required data. Although this method improves processing efficiency, it also creates opportunities for malicious entities to inject corrupt data into these operations, allowing them to read memory content that should be protected.
These vulnerabilities function similarly to the infamous Spectre and Meltdown vulnerabilities, which also leveraged speculative execution to gain access to sensitive data.
## How Do the Vulnerabilities Function?
In an optimal scenario, web browsers such as Safari and Chrome compartmentalize each tab in a sandboxed setting, preventing one tab from accessing information from another. However, SLAP and FLOP can circumvent these safeguards under specific circumstances:
– **SLAP**: If an attacker manages to deceive a user into navigating to a compromised site, they can utilize SLAP to retrieve data from any other active Safari tab. This could involve sensitive details like emails, location information from Apple Maps, and banking credentials.
– **FLOP**: This vulnerability amplifies the potential of SLAP by affecting Chrome as well, making it a more formidable threat. Like SLAP, FLOP can grant attackers access to data from several tabs without needing any malware to be installed on the user’s device.
## Which Devices Are at Risk?
The vulnerabilities impact any Apple device featuring an A15 or later chip, along with those housing an M2 or later chip. The following devices have been confirmed as vulnerable:
### iPhone:
– iPhone 13
– iPhone 14
– iPhone 15
– iPhone 16
– 3rd-gen iPhone SE
### iPad:
– iPad Air models from 2021 onwards
– iPad Pro models from 2021 onwards
– iPad mini models from 2021 onwards
### Mac:
– MacBook Air models from 2022 onwards
– MacBook Pro models from 2022 onwards
– Mac mini models from 2023 onwards
– Mac Studio models from 2023 onwards
– iMac models from 2023 onwards
– Mac Pro (2023)
## What’s the Actual Risk?
Currently, researchers have not discovered any evidence that SLAP or FLOP has been exploited in real-world scenarios. Apple has recognized the vulnerabilities and has been working towards solutions since they were first reported—May 2024 for SLAP and September 2024 for FLOP. In a statement to Bleeping Computer, Apple reassured its customers:
> “Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
While there are no immediate actions users can take to reduce these risks beyond being cautious with the websites they access, it is crucial to stay alert and ensure devices are updated with the latest security patches as they are released.
## Conclusion
The identification of SLAP and FLOP emphasizes the persistent hurdles in safeguarding modern computing devices against advanced attacks. While Apple works to resolve these vulnerabilities, users should remain aware of potential threats and adopt safe browsing practices. Keeping devices current and exercising caution regarding the visited websites can aid in mitigating the risks associated with these vulnerabilities until a permanent solution is applied.
