A software bug was introduced in ‘s implementation of the IndexedDB API Apple Safari 15 can be abused by a malicious website to track users’ online activity in Web browser and worse, even revealing their identities.
The vulnerability, dubbed IndexedDB Leaks, was disclosed by anti-cheat software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021.
“Like most web hosting solutions, IndexedDB is subject to the same origin policy,” Mozilla notes in its API documentation. “So even though you can access data stored in one domain, you cannot access data across different domains.”
Same-origin is a fundamental security mechanism that ensures that resources are retrieved from different sources – i.e. a combination of scheme (protocol), host (domain) and port number of one URL – isolated from each other. This really means “https://example[.]com / “and” https:// for example[.]com/“ are not from the same origin because they use different schemes.
But that’s not the case with how Safari handles the IndexedDB API in Safari on iOS, iPadOS, and macOS.
“In Safari 15 on macOS and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same origin policy,” Martin Bajanik said in a post. “Every time a web page interacts with the database, a new (empty) database with the same name is created in all other active frames, tabs, and windows in the same browser session. ”
The consequence of this breach of privacy is that it allows websites to learn what other websites users are visiting in different tabs or windows, not to mention precisely identify users across different sites. Google services such as YouTube and Google Calendar when these sites create an IndexedDB database that includes an authenticated Google user ID, which is an internal identifier that uniquely identifies a Google account.
“This not only implies that untrusted or malicious websites can learn the identity of the user, but also allows the linking of many separate accounts used by the same user.” , Bajanik said.
To make matters worse, the leak also affects Private Browsing mode in Safari 15 if users visit multiple different websites from within the same tab in the browser window. We’ve reached out to Apple for further comment, and we’ll update the story if we get a response.
“This is a big bug,” the developer said Google Chrome Jake Archibald tweeted. “On OSX, Safari users can (temporarily) switch to another browser to avoid having their data leak across the entire origin. iOS users have no such option because Apple imposes a ban on other browser tools.”