A software introduced in the API implementation IndexedDB of Apple Safari 15 can be abused by a malicious website to track activity online users in the web and, worse, even reveal their identity. This vulnerability, dubbed IndexedDB Leakswas released by the software fraud protection FingerprintJSwho reported the problem to the manufacturer of the iPhone in November 2021.
The IndexedDB is an application programming interface (API) JavaScript low-level browsers, provided by Web to manage databases NoSQL structured data, such as files and blobs. "As most storage solutions in the Web, o IndexedDB follows a policy of the same origin", according to the API documentation of the Mozilla. "So while you can access data stored in a particular domain, you can't access data in different domains."
The same-origin policy is a fundamental security mechanism that guarantees that resources retrieved from different origins - i.e. a combination of the scheme (protocol), host (domain) and port number of a URL - are isolated from each other. This means that "http[:]//example[.]com/" and "https[:]//example[.]com/" are not from the same source because they use different schemes. By restricting how a script loaded by one source can interact with a resource from another source, the idea is to hijack scripts potentially malicious and reduce possible attack vectors by preventing an unauthorized site from executing code JavaScript to read data from another domain, i.e. an e-mail service.
However, this is not the case with the Safari handles the API IndexedDB in iOS, iPadOS e macOS. "No Safari 15no macOSand in all browsers in iOS e iPadOS 15, the API IndexedDB is violating the same-origin policy," said Martin Bajanik in an article. "Whenever a website interacts with a database, a new (empty) database with the same name is created on all the others framestabs and active windows in the same browser session."
One consequence of this breach of privacy is that it allows websites to know which other websites a user is visiting, in different tabs or windows, specifically, to accurately identify users in the services of the Googlesuch as YouTube e Google Calendarbecause these sites create databases IndexedDB which include IDs user Google authenticated - an internal identifier that uniquely identifies a single account Google. "This not only implies that untrustworthy or malicious sites can know the identity of a user, but also allows linking several separate accounts used by the same user," Bajanik added.
To make matters worse, this leak also affects the private browsing mode in Safari 15If a user visits several different websites from the same tab in the browser window. "This is a huge bug", tweeted Jake Archibald, defender of the developer of the Google Chrome. "In OSXSafari users can (temporarily) switch to another browser to prevent their data from leaking between sources. Users of iOS don't have that choice, because Apple imposes a ban on other browser engines."
https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html
