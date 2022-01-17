



It could exploit a vulnerability in Safari to expose browser history and identity elements.

This bug, revealed in a Saturday blog post by FingerprintJS, was introduced in Safari 15 via the Indexed Database API (IndexedDB), which is part of Apple’s WebKit web browser development engine. Simply put, you can use IndexedDB to store data such as websites you visit on your computer and speed up the load when you return later.

IndexedDB typically follows the security mechanism of the same-origin policy. This prevents websites from interacting freely unless they have the same domain name (among other requirements). Think of it as being isolated and only allowed to associate with your family. So, for example, Netflix can’t access the stored data in IndexedDB to confirm that you’re cheating on YouTube.

Unfortunately, due to a bug revealed by FingerprintJS, IndexedDB violates the same-origin policy and publishes the collected data to websites that are not collecting it. To make matters worse, some websites, such as those on Google’s network, use unique user-specific identifiers in the data provided to IndexedDB. This means that if you are logged in to your Google account, you can use the collected data to pinpoint both your browsing history and your account details. You can also see if you are logged in to multiple accounts.

“This not only means that untrusted or malicious websites can learn user IDs, but they can also link multiple individual accounts used by the same user,” Fingerprint JS wrote. We have also released a demo showing the types of information that exploits may reveal.

FingerprintJS reported a bug at the end of November last year, but Apple hasn’t fixed it yet. Mashable is asking Apple for comment.

This is all a concern, but there isn’t much you can do at this point. Browsing in Safari’s private mode can mitigate potential damage. Private tabs don’t let you know what’s happening on other tabs, whether private or public. However, it is still not certain.

“”[I]When accessing multiple different websites within the same [private] In the tab, all databases that these websites interact with are leaked to all the websites that you visit subsequently, “FingerprintJS writes.

Mac users can work around this vulnerability by switching from Safari to another browser, but iOS or iPad OS users are unlucky. Safari only affected Mac, but Apple’s requirement that all iOS and iPad web browsers use WebKit means that the IndexedDB bug affected all browsers on these systems. To do. The best we can do is wait for Apple to release a patch, switch to Android, or just log off.

