A vulnerability affecting the Safari browser can leak a user’s identity and their website history, researchers have warned.
The issue was introduced in Safari’s implementation of the IndexedDB API in its latest offering, version 15. IndexedDB is a browser API for client-side storage designed to hold significant amounts of data.
To prevent data leaks from cross-site scripting (XSS) attacks, IndexedDB follows the same-origin policy, controlling which resources can access each piece of data.
Same-origin policy restricts how documents or scripts loaded from one origin can interact with resources from other origins. It also prevents malicious script on one page from obtaining access to sensitive data on another web page.
A blog post from researchers at FingerprintJS who discovered the bug, have revealed that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating same-origin policy in the WebKit implementation, leading to users’ information being made accessible.
“It lets arbitrary websites learn what websites the user visits in different tabs or windows,” the blog post explains. “This is possible because database names are typically unique and website-specific.
‘Precisely identified’
“Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.
“Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.”
Not only can untrusted or malicious websites therefore potentially learn a user’s identity, this could also allow the linking together of multiple separate accounts used by the same user.
The researchers noted that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time, they explained.
Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.
FingerprintJS claims that more than 30 of the Alexa Top 1000 sites use indexed databases directly on their homepage, potentially leaving them exposed to the bug, though they “expect the number to be significantly higher in real-world scenarios”.
Fix incoming?
A proof-of-concept can be found in FingerprintJS’ blog post.
Apple has been made aware of the problem and, according to researchers, engineers confirmed they had fixed the problem. However, FingerprintJS claims that the issue is still present.
In the meantime, users “can’t do much” to protect themselves against the vulnerability, explained the researchers.
They wrote: “One option may be to block all JavaScript by default and only allow it on sites that are trusted. This makes modern web browsing inconvenient and is likely not a good solution for everyone.
“Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller.
“Another alternative for Safari users on Macs is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected.”
The Daily Swig has reached out to both FingerprintJS and Apple to find out more about whether a proper fix is incoming.
This article will be updated as and when we hear back.
