Safari 15 Browser Software Error Allows Tracking of User Activity

A software bug software bug introduced in Apple Safari 15 's IndexedDB API implementation can be abused by a malicious website to track users' online activity on the web browser and, worse, even reveal their identity. This vulnerability, dubbed IndexedDB Leaks, was disclosed by software company software company fraud protection software company FingerprintJS, which reported the problem to the iPhone manufacturer in November 2021.

IndexedDB is a low-level JavaScript application programming interface (API) provided by Web browsers to manage NoSQL databases of structured data, such as files and blobs. "Like most Web storage solutions, IndexedDB follows a same-origin policy," according to Mozilla's API documentation. "So while you can access data stored in a particular domain, you cannot access data in different domains."

The same-origin policy is a fundamental security mechanism that ensures that resources retrieved from different sources - that is, a combination of a URL 's schema (protocol), host (domain), and port number - are isolated from each other. This means that "http[:]//example[.]com/" and "https[:]//example[.]com/" are not from the same source because they use different schemas. By restricting the way a script loaded by one origin can interact with a resource from another origin, the idea is to hijack potentially malicious scripts and reduce possible attack vectors by preventing an unauthorized site from executing arbitrary JavaScript code to read data from another domain, i.e. an email service.

However, this is not the case with how Safari handles the IndexedDB API on iOS, iPadOS, and macOS. "In Safari 15, on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is in violation of the same-origin policy," said Martin Bajanik in an article. "Whenever a website interacts with a database, a new (empty) database with the same name is created in all other frames, tabs, and windows active in the same browser session."

One consequence of this privacy breach is that it allows sites to know which other sites a user is visiting, in different tabs or windows, specifically, to accurately identify users on Google services such as YouTube and Google Calendar, because these sites create IndexedDB databases that include the authenticated Google user IDs - an internal identifier that uniquely identifies a single Google account. "This not only implies that untrusted or malicious sites can know a user's identity, but also allows multiple separate accounts used by the same user to be linked," Bajanik added.

To make matters worse, this leak also affects the private browsing mode in Safari 15, should a user visit several different sites on the same tab in the browser window. "This is a huge bug," tweeted Jake Archibald, Google Chrome developer advocate. "In OSX, Safari users can (temporarily) switch to another browser to prevent their data from leaking between sources. iOS users don't have that choice, because Apple imposes a ban on other browser engines."

 

The original article via The Hacker News can be read at:
https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html