Apple M1 Macs and Windows PCs Are Vulnerable to New HTML/CSS Hack

Security researchers from Cornell University have found a web browser attack that affects both macOS and Windows computers. Unlike other browser-based attacks, this one does not use JavaScript.

The hack is the first JavaScript-free browser side-channel attack ever discovered. Rather than using the popular scripting language, the exploit was built entirely with CSS and HTML.

Though new, Apple’s M1 chipset is not protected from this attack and maybe more vulnerable to this exploit, claim the researchers in a recently published paper (via AppleInsider).

It is described as being “architecturally agnostic” attacking Samsung, AMD, and even Apple’s new silicon, says The 8-Bit blog.

In fact, Apple’s M1 chipset may even be more vulnerable to this attack.

“Ironically, we show that our attacks are sometimes more effective on these novel CPUs by Apple and Samsung compared to their well-explored Intel counterparts, presumably due to their simpler cache replacement policies.”

Cornell University Researchers

This exploit is particularly effective as it will work even when a user locks down their browser by blocking JavaScript. It also ignores privacy technologies like Tor or a VPN that are meant to keep your browsing information safe.

The vulnerability potentially could spy on a user’s web activity and share that information without the user’s consent or knowledge.

Most users believe they are always safe after blocking JavaScript and using a VPN, however, this attack shows that even these measures are not foolproof and may provide a false sense of security in some instances.