Fix is apparently incoming
UPDATED A vulnerability affecting the Safari browser can leak a user’s identity and their website history, researchers have warned.
The issue was introduced in Safari’s implementation of the IndexedDB API in its latest offering, version 15. IndexedDB is a browser API for client-side storage designed to hold significant amounts of data.
Same-origin policy restricts how documents or scripts loaded from one origin can interact with resources from other origins. It also prevents malicious script on one page from obtaining access to sensitive data on another web page.
A blog post from researchers at FingerprintJS who discovered the bug, have revealed that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating same-origin policy in the WebKit implementation, leading to users’ information being made accessible.
“It lets arbitrary websites learn what websites the user visits in different tabs or windows,” the blog post explains. “This is possible because database names are typically unique and website-specific.
“Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.
“Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.”
Not only can untrusted or malicious websites therefore potentially learn a user’s identity, this could also allow the linking together of multiple separate accounts used by the same user.
The researchers noted that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time, they explained.
Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.
FingerprintJS claims that more than 30 of the Alexa Top 1000 sites use indexed databases directly on their homepage, potentially leaving them exposed to the bug, though they “expect the number to be significantly higher in real-world scenarios”.
A proof-of-concept can be found in FingerprintJS’ blog post.
Apple has been made aware of the problem and, according to researchers, engineers have merged potential fixes and marked the report as resolved. However, FingerprintJS says the issue is still present, and intimated that a fix has not yet been released.
In the meantime, users “can’t do much” to protect themselves against the vulnerability, explained the researchers.
Martin Bajanik, software engineer at FingerprintJS, told The Daily Swig: “The real-world impact is that websites visited using an impacted browser (all browsers on iOS 15 and iPadOS 15, as well as Safari 15 on MacOS) are able to access some of your browsing activity in different tabs or windows.
“We aren’t able to know which websites are taking advantage of this vulnerability, so until it is fixed, affected users” privacy may or may not be violated by the sites they visit.”
Bajanik added: “MacOS users can switch to a different browser in the meantime. iOS 15 and iPasOS 15 users do not have this option as all browsers are affected - their options are much more limited.
“Hopefully, this vulnerability will be fixed shortly, at which point the best protection will be updating one’s OS once the issue is resolved.”
The Daily Swig has reached out to Apple to find out more about when a patch for WebKit and iOS is incoming.
This article has been updated to include comment from FingerprintJS.