A software bug introduced in Apple Safari 15’s implementation of the IndexedDB API could be abused by malicious websites to track a user’s online activity in the web browser and, worse, even reveal their identity.
The vulnerability is called IndexedDB leak, disclosed by FingerprintJS, a fraud protection software company that reported this issue November 28, 2021 for iPhone makers.
IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing NoSQL databases Structured data objects such as files and blobs.
“Like most network storage solutions, IndexedDB follows the same-origin policy,” Mozilla Notes in its documentation API’s. “So while you can access data stored within a domain, you cannot access data in a different domain.”
homology is a Basic Security Mechanisms Ensure that resources are retrieved from different resources origin – that is, a combination The URL’s scheme (protocol), host (domain), and port number – isolated from each other. This actually means “http[:]//example[.]com/” and “https[:]//example[.]com/” comes from a different source because they use a different scheme.
By limiting how scripts loaded from one origin can interact with resources from another origin, the idea is to isolate potentially malicious scripts and reduce potential attack vectors by preventing rogue websites from running arbitrary JavaScript code to read data from another domain, such as , email service.
But that’s not how Safari handles the IndexedDB API in Safari across iOS, iPadOS, and macOS.
“In Safari 15 on macOS and all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy,” Martin Bajanik Say in an article. “Every time a website interacts with the database, a new (empty) database with the same name is created in all other active frames, tabs, and windows in the same browser session.”
The consequence of this privacy violation is that it allows sites to learn about other sites a user is visiting in different tabs or windows, not to mention accurately identify users on Google services like YouTube and Google Calendar, since these sites create IndexedDB databases, These include the authenticated Google User ID, which is an internal identifier that uniquely identifies a single Google Account.
“Not only does this mean that an untrusted or malicious website can learn the identity of a user, but it also allows multiple separate accounts used by the same user to be linked together,” Bajanik said.
To make matters worse, the leak also affects private browsing model In Safari 15, users should visit multiple different websites from the same tab in the browser window. We’ve reached out to Apple for further comment and will update the story if we hear back.
“This was a huge mistake,” Jake Archibald, developer advocate for Google Chrome tweet. “On OSX, Safari users can (temporarily) switch to another browser to avoid cross-origin leakage of their data. iOS users don’t have such an option because Apple prohibits other browser engines.”
