TL;DR: Researchers at Georgia Tech have developed a side-channel exploit for Apple M-series and A-series chips running macOS and iOS. The attack, cleverly dubbed iLeakage, can force Safari and other browsers to reveal Gmail messages, passwords, and other sensitive and private information.
iLeakage works similarly to the Spectre and Meltdown exploits that gave chip manufacturers so much trouble in 2018. The attack leverages the speculative execution feature of modern processors to gain access to information that would normally be hidden.
The technique can reveal the contents of an email so long as the user is logged into Gmail (masthead video). It can also grab credentials if the victim uses a password manager's auto-fill function (above). Theoretically, the exploit could show the hacker practically anything that goes through the processor's speculative execution pipe. Below they demo how it can access a target's YouTube history.
iLeakage utilizes WebKit, so it only works with Safari on Macs with an M-series chip (2020 or later). However, any browser on recent iPhones or iPads is vulnerable since Apple requires developers to use its browser engine on those operating systems. It is unclear if the method could be tweaked to use non-WebKit browsers in macOS.
Although there is no CVE tracking designator, Georgia Tech notified Apple of the security issue on September 12, 2022. Cupertino developers are still working on fully mitigating it. At the time of public disclosure, Apple had patched the vulnerability in macOS, but it's not on by default and is considered "unstable." The researchers listed steps to enable the unperfected patch under "How can I defend against iLeakage?" Users should be familiar with Terminal and need full disk access before proceeding.
There is no evidence that bad actors have used iLeakage's method in the wild. However, now that public disclosure has occurred, users should implement available mitigation methods and be mindful of the sites they visit.