Apple’s in-house silicon, powering millions of Macs, iPhones, and iPads, harbouring two critical vulnerabilities that could leak sensitive data, including credit card details, location history, and email contents. Security researchers from Georgia Institute of Technology and Ruhr University Bochum have unveiled these flaws, which affect Apple’s A-series and M-series chips and compromise the security of both Safari and Chrome browsers.
The vulnerabilities stem from side-channel attacks, a category of exploits that infer sensitive information by analysing subtle physical or timing-based indicators. These newly identified exploits, named FLOP and SLAP, take advantage of speculative execution — a performance optimisation technique used in Apple’s silicon.
While speculative execution has previously been linked to security flaws, Apple’s approach extends its predictive capabilities beyond control flow to include data flaws, making it more susceptible to sophisticated attacks.
FLOP, the more powerful of the two attacks, manipulates the Load Value Predictor (LVP), a feature introduced in Apple’s M3 and A17 chips. The LVP is designed to predict memory contents before they are available, optimising performance.
However, researchers discovered that it can be misled into forwarding incorrect memory values, allowing attackers to extract private data such as location history, calendar events, and even credit card details.

For the attack to succeed, the victim must have an attacker-controlled site open in one tab while logged into a sensitive service (such as Gmail or iCloud) in another. FLOP then abuses Apple’s WebKit browser engine, manipulating its memory allocation to brute-force search for valuable data. The attack is effective against Safari and Chrome, making it a widespread threat.
SLAP targets the Load Address Predictor (LAP), a feature in newer Apple silicon that anticipates memory locations where data should be accessed. By forcing the LAP to predict incorrect addresses, SLAP enables cross-tab data leakages within Safari.
This means that if a victim has a sensitive webpage open — such as Gmail, Amazon, or Reddit — while simultaneously visiting a malicious site, the attacker could extract private information like email subject lines, sender details, or even shopping preferences. Unlike FLOP, SLAP is limited to Safari and cannot read arbitrary memory addresses but remains a significant risk to user privacy.

The researchers have identified the following Apple devices as vulnerable to one or both of these attacks:
- MacBook Air and Pro from 2022 onwards.
- Mac desktops (Mac Mini, iMac, Mac Studio, Mac Pro) from 2023 onwards.
- iPad Pro, Air, and Mini from September 2021 onwards.
- iPhone models from September 2021 onwards, including iPhone 13, 14, 15, and 16, as well as the iPhone SE (3rd generation).
It is interesting to note that Apple doesn’t consider this vulnerability as a serious matter. As Ars Technica reports, the official spokesperson downplayed the severity of the issue, stating, “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
In the News: Microsoft investigates DeepSeek’s alleged OpenAI data misuse