apple
A vulnerability in Apple’s implementation of the IndexedDB API in Safari 15 allows websites to track users’ activity on other sites and even to reveal their identity, browser fingerprinting and fraud detection firm FingerprintJS explains.
Used in all major browsers, IndexedDB is a low-level browser API for storing client data, which follows the same-origin policy, to restrict the interaction of resources that have different origins.
Because indexed databases are associated with their specific origin, scripts that have a different origin should not be able to interact with those databases that have other origins.
However, FingerprintJS discovered that, in Safari 15 on macOS and in the browsers running on iOS and iPadOS 15 devices, the IndexedDB API is violating the same-origin policy.
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” FingerprintJS explains.
The existence of these “cross-origin-duplicated databases” means that arbitrary websites can learn what other sites the user is visiting in other tabs or windows, because database names are typically website-specific.
In some cases, unique user-specific identifiers are used in the database name, which could allow for the identification of authenticated users.
Websites such as Google Calendar, Google Keep, and YouTube, for example, create databases containing the authenticated user’s Google ID. Databases are created for all of the accounts a user is logged into.
The Google User ID can be used to uniquely identify a specific Google account, and can be used with Google APIs to fetch available information on the account owner, including a user’s profile picture, at a minimum.
“Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” FingerprintJS explains.
No user interaction is required for these data leaks to occur, as websites querying the IndexedDB API can learn of other sites in real-time.
FingerprintJS has created a demo page which, once accessed in a vulnerable browser, shows how the user’s identity is leaked, if they are logged into their Google account in the same browser.
To protect themselves, Safari, iOS, and iPadOS users could block JavaScript on all sites that are not trusted, which is a drastic and inconvenient option. On macOS, users could switch to a different browser.
“The only real protection is to update your browser or OS once the issue is resolved by Apple,” FingerprintJS concludes.
You may also enjoy reading, The definitions of “recently” and “discovered” leave a lot to be desired
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
17,970 total views, 2 views today
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
1 thought on “Safari 15 Vulnerability Allows Cross-Site Tracking of Users”