Security researchers have identified two critical hardware vulnerabilities affecting Apple’s A-series and M-series processors, potentially exposing millions of devices to remote data extraction attacks. The vulnerabilities, dubbed FLOP (False Load Output Prediction) and SLAP (Speculative Load Address Prediction), enable malicious actors to bypass browser security controls and extract sensitive user information through JavaScript-based attacks.
Technical Nature of FLOP and SLAP Vulnerabilities
Both vulnerabilities exploit speculative execution mechanisms, a performance optimization technique used in modern processors. FLOP specifically targets the Load Value Prediction feature in newer Apple Silicon chips (M3, M4, and A17), while SLAP exploits Load Address Prediction weaknesses present in earlier models like M2 and A15. These architectural flaws allow attackers to construct timing-based side-channel attacks that bypass standard security protections, including browser sandboxing and Address Space Layout Randomization (ASLR). The research methodology mirrors prior speculative execution attacks catalogued in the MITRE ATT&CK framework.
Who Is Affected by FLOP and SLAP
The following device categories and user groups are at risk:
- Mac users running Apple Silicon M2, M3, M4 chips — including MacBook Air, MacBook Pro, Mac Mini, Mac Studio, and iMac
- iPhone and iPad users with A15, A17, or later chips using Safari or any browser with JavaScript enabled
- Enterprise environments where sensitive data (email, calendar, documents) is accessed through web apps in a browser
- Developers and researchers who run untrusted web content in browser tabs alongside authenticated sessions
What Data Attackers Can Extract
The attack methodology leverages JavaScript or WebAssembly code to execute timing attacks against the processor’s cache system. FLOP exploits incorrect value predictions to leak data through carefully crafted timing measurements, while SLAP takes advantage of flaws in memory access pattern prediction mechanisms. Attackers can potentially access:
- Email contents from providers accessed in the same browser session
- Location history from mapping services
- Calendar data from cloud services
- E-commerce account details and order history
- Browser history and session tokens
What to Do: Concrete Mitigation Steps
- Install all available Apple OS and browser updates immediately — Apple is actively developing patches addressing these speculative execution flaws
- Enable Safari’s “Prevent cross-site tracking” setting and consider disabling JavaScript for untrusted sites via Safari’s per-site settings (Settings → Safari → Advanced → Website Settings)
- Use Firefox, which implements stronger timer resolution restrictions that reduce the precision of timing attacks used by FLOP and SLAP
- Avoid opening untrusted or unknown websites in the same browser session where you are logged in to sensitive services (banking, email, corporate apps)
- For enterprise environments, enforce browser profiles that restrict WebAssembly execution on unmanaged domains
Apple’s Response
Apple has acknowledged these vulnerabilities and is actively developing hardware-level fixes. The company confirmed coordinated disclosure with the research team prior to publication. Until patches are released across all affected chipsets, the mitigations described above provide meaningful reduction in attack surface. Users should keep automatic OS updates enabled to receive fixes as they ship.
The FLOP and SLAP discoveries add to a growing body of research on speculative execution vulnerabilities — a class of hardware-level flaws that began with Spectre and Meltdown in 2018. The fundamental challenge is that performance optimizations at the chip level can create information leakage channels that software security controls cannot fully close.
