Oof, not good. First, because it was reported to Apple back in December and they still didn't do anything to address it. Second, because of this:
Quote"We're talking about high-end users, like someone who has a cryptocurrency wallet with a lot of money," he says. But he notes that in theory this attack might be used to break the TLS cryptography that a computer's browser uses to encrypt communication between their computer and web sites, which could allow attackers to decrypt that communication to extract a user's session cookie for their Gmail or other web-based email account and use it to log into the account as them. "I'm not saying it's a practical attack I'm just saying that's the kind of threat you might be worried about," he says, "You can get [other] very high-valued keys potentially" including their iCloud keys to access backed up data. The researchers reported the issue to Apple in December, but other than thanking them for their work, Genkin says Apple didn't indicate what, if anything, it might do to address the problem.
QuoteIt's also theoretically possible for an attacker to pull this off by embedding malicious code into Javascript on a web site so that when a computer with an M-series chip visits the site, the attacker's malicious code can conduct the attack to grab data from the cache. The researchers didn't test a web site attack, but Green says the scenario is plausible. It would also be a more concerning attack, he notes, because attackers could scale it to attack thousands of computers quickly.
This is huge.