Safari Vulnerability Could Expose Internet Activity and User Identity

Spread the love

Apple’s Safari 15 browser contains a vulnerability that allows any website to track users’ Internet activity. The vulnerability can also reveal the user’s identity. FingerprintJS, a browser fraud detection service, discovered that.

FingerprintJS writes on its blog about the vulnerability in the form of the IndexedDB API implementation. The vulnerability is not only in Safari 15 on macOS, but also in all browsers on iOS and iPadOS 15. The implementation of this api in Safari 15 means that every time a website connects to a database, a new empty database with the same name is created in all other frames, tabs, and windows in the same browser session. This is a violation of the same-origin policy, according to FingerprintJS.

IndexedDB is intended for client-side storage, contains quite a bit of data and is supported by all major browsers. Like many similar APIs, Indexed DB uses the same-origin policy. This means that there are restrictions on how scripts or documents that are loaded from one source and that they cannot simply connect to another source.

According to FingerprintJS, that principle is being violated and the fact that the database names can be leaked across multiple sources is a clear privacy violation. It allows random websites to find out which websites the user visits in other tabs or windows. According to the service, this is possible because database names are usually unique and website-specific.

In addition, FingerprintJS also specifically points out that in some cases websites use unique, user-specific identifiers in database names. This means that authenticated users can be identified very precisely. In addition, YouTube, Google Calendar or Google Keep are mentioned as examples of sites that create databases containing the authenticated Google User ID. If the user is logged in to multiple accounts, databases will be created for all of these accounts. On the basis of this, malicious websites can trace the user’s identity and multiple, separate accounts of the same user can still be linked together.

The vulnerability affects not only Safari 15 on macOS, but all browsers on iOS and iPadOS 15, as all use the WebKit engine in accordance with Apple’s App Store regulations. According to FingerprintJS, there’s little that users can do about this vulnerability other than taking “drastic measures,” such as blocking all JavaScript by default and allowing it only on sites that are trusted. FingerprintJS says there is only one real solution: updating the browser or OS once the issue is resolved by Apple. The latter has not yet happened. The vulnerability was reported on November 28 last year.

You might also like
Exit mobile version