A fix is apparently coming
A vulnerability affecting the Safari browser could reveal users’ identities and their website histories, researchers have warned.
Safari introduced this issue in its latest version 15 implementation of the IndexedDB API. IndexedDB is a browser API for client-side storage designed to hold large amounts of data.
To prevent data leakage caused by cross-site scripting (XSS) attacks, IndexedDB follows the same-origin policy, which controls which resources can access each piece of data.
Read more of the latest security breach news
The same-origin policy restricts how documents or scripts loaded from one origin can interact with resources from other origins. It also prevents malicious scripts on one page from accessing sensitive data on another.
One blog post In Safari 15 on macOS and all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy in WebKit implementations, making user information accessible, according to FingerprintJS researchers who discovered the vulnerability.
“It allows any website to know which websites a user is visiting in different tabs or windows,” the blog post explains. “This is possible because database names are often unique and site-specific.
‘Precise identification’
“Furthermore, we have observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and accurately identified.
“Some popular examples are YouTube, Google Calendar, or Google Keep. All of these sites create databases containing authenticated Google user IDs, and if a user is logged into multiple accounts, a database is created for all of those accounts.”
Therefore, an untrusted or malicious website may not only know the identity of the user, but may also allow multiple separate accounts used by the same user to be linked together.
you might also like Introduction to vAPI – an open source lab environment for learning about API security
The researchers noted that these leaks did not require any specific user action. They explain that a tab or window running in the background and constantly querying the IndexedDB API for available databases can provide real-time insight into other websites a user visits.
Alternatively, a website can open any website in an iframe or popup to trigger an IndexedDB-based leak for that particular website.
FingerprintJS claims that more than 30 of Alexa’s top 1,000 sites use an index database directly on their homepage, which could expose them to vulnerabilities, although they “expect this number to be significantly higher in the real world.”
Fix incoming?
A proof of concept can be found in FingerprintJS’s blog post.
Apple is aware of the problem, and according to the researchers, engineers confirmed they’ve fixed it. However, FingerprintJS claims that the problem still exists.
At the same time, there is “nothing users can do” to protect themselves from the vulnerability, the researchers explained.
They wrote: “One option might be to block all JavaScript by default and only allow it on trusted sites. This makes modern web browsing inconvenient and may not be a good solution for everyone.
“Furthermore, vulnerabilities such as cross-site scripting can also be targeted through trusted sites, albeit with a much lesser risk.
“Another option for Safari users on Mac is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected.”
daily swig FingerprintJS and Apple have been contacted to learn more about whether a fix is in place.
This article will be updated as we hear back.
admired Researchers disclose so-called zero-day vulnerability in NUUO NVRmini2 recording device
