A bug has been detected on Apple’s Safari 15 that could allegedly track users’ browsing activity and reveal their personal data to other malicious sites.
As FingerprintJS notes, because IndexedDB is a low-level API and commonly used and supported by all major browsers, many developers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”
IndexedDB abides by the same-origin policy, a “critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin,” according to Mozilla.
Simply put, the policy prevents data from one origin, such as your email account which is open in one tab, from interacting with data from other origins, such as a malicious webpage opened in a second tab, meaning the malicious webpage cannot access data from your email account.
However, the bug, according to FingerprintJS, causes IndexedDB to expose the data it has collected to websites it didn’t collect it from.
“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy,” FingerprintJS said. “The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific.”
Furthermore, the fingerprinting service discovered that some websites, such as YouTube, Google Calendar, or Google Keep use unique user-specific identifiers in the data provided to IndexedDB, meaning that “authenticated users can be uniquely and precisely identified” if they are logged into their Google account.
“All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts,” FingerprintJS explained.
“Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” FingerprintJS said.
Unfortunately, users cannot do much about the bug for now as even private mode in Safari 15 is also affected by the leak, although because browsing sessions in private Safari windows are restricted to a single tab, using this mode could reduce the amount of information that can be exposed via the bug.
“Another alternative for Safari users on Macs is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected,” FingerprintJS said.
The Epoch Times has reached out to Apple for comment.
