Improperly implemented APIs that store data on the browser have led to a vulnerability in Safari 15 that could reveal user internet activity and personal identifiers.
The vulnerability was discovered by a fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository.
As of last November 28th, the issue had not been resolved, so the team at Fingerprint JS decided to make the discovery public to encourage a fix.
The commonly used low-level JavaScript API, called IndexedDB, follows the same-origin policy, which means that documents or scripts associated with one origin should not interact with resources associated with other origins. A web page opened in one tab of a browser should not share data with the next tab for obvious reasons, such as one tab for accessing the user’s bank and another for accessing a malicious website.
But in the case of this particular indexed database, the individual pages do interact, putting the user at risk. When using Safari 15 which relies on IndexedDB, every time a website interacts with the database, a new empty database with the same name is created in all active frames, tabs and windows in the same browser session. This results in the name of the database that other websites can access. The Safari exploit could then expose public information from, for example, a Google account.
Users logged in to their Google Accounts put their unique Google user ID in the database name. If a website crawls a Google user ID and uses it to look up personal information, the database name can be used to extract identifying information from a lookup table.
But not only can a malicious website learn the identity of a user, it can also stitch together multiple separate accounts from the same user without that user even having to do anything other than run a window in the background. If programmed in an iframe or pop-up window, malicious websites can open other websites, opening a Pandora’s box of leaked data.
Fingerprint JS made a video to explain the process:
The team found that more than 30 sites in the Alexa Top 1000 interacted with an indexed database on their homepage without users doing anything, and they thought there were more.
Sadly, browsing in private mode doesn’t solve the problem, although the scope of information gained through leaks is more limited by the nature of the tool.
Fraud Detection Service creates a demo Identify sites opened or recently opened by Google Account users. It looks for more than 20 specific websites that it knows have issues with Safari 15 on macOS, iOS 15 or iPadOS 15, because Apple requires WebKit to work with these browsers and Google accounts.
The team says there’s nothing to do but wait while browsing the web on Apple products, other than blocking JavaScript, not using a Google account, or switching to a different browser when available (iOS and iPadOS are not available).
Given that in June 2020, Apple Refused to implement 16 Web APIs Enter Safari’s WebKit engine, claiming they pose a privacy threat. Some researchers hailed the move as a victory for privacy, but many scoffed at the decision, saying it was an attempt to force the use of native iOS apps and the revenue they bring.
Of course, this product-only approach extends beyond the company’s browser.Just last week, Apple was forced to stop delaying and allow Third-party application billing system In South Korea under the country’s Telecommunications Business Law. Google was asked to do the same in September and compiled in November — two months before Apple.
Overuse of WebKit and IndexedDB has been problematic in the past. A bug in Safari 14.1.1 on macOS 11.4 and iOS 14.6 that occurs when an application first attempts to store data using the IndexedDB NoSQL manager cause User outrage last June. An open-source developer called Apple “hostile to the web.” ®
