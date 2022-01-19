from Davide Urietti

The cause of the vulnerability to look for in the implementation of IndexedDB, an API that stores data on the browser

A bug in Safari 15 is putting users’ browsing activity at risk. Not only that, because due to this problem, personal information may also leak linked to your Google account. The bug was revealed by FingerprintJS, a US company whose services allow you to detect online fraud.

As explained on his blog, the cause of the vulnerability to look for in Apple’s implementation of IndexedDB, an API (Application Programming Interface) that stores data on the browser. Normally, IndexedDB would adhere to the so-called same-origin policy: this means that the data collected from a certain origin cannot interact with others from different sources.

Let’s take an example to give a better idea: if we consult our email in one tab and then open a malicious web page in another, the policy of the same origin prevents the malicious page from interacting with the data and information contained in the card of the email. However, FingerprintJS has now revealed that the APIIndexedDB is violating the same origin policy: a malicious page, therefore, could have access to the databases created by Safari for each website open at a given time.

The greatest risk posed by pages related to your Google account, such as YouTube, Google Calendar and other Mountain View services. FingerprintJs, in fact, explained that these pages – through IndexedDB – generate a database on Safari, where it is possible to trace the Google User ID, an internal identifier generated by Google, uniquely linked to a single Google account. As a result, a malicious page could subsequently access publicly available information of a given Google account.

Who would like to have a clear idea of ​​how many and which sites are affected by the bug, you can try a demo made available by FingerprintJS, available at this link. On MacOS, iOS or iPadOS, it will be sufficient to connect to this page to discover the pages visited and the related databases created by Safari, which could therefore leak personal information and browsing activities.

Although the bug was reported in late November 2021, Apple has not yet released an update to address the situation. Furthermore, at the moment, there is no way to avoid the problem: Fingerprint, in fact, has revealed that incognito browsing is not enough. On MacOS, however, the vulnerability can be avoided by temporarily choosing another browser. A solution that unfortunately cannot be adopted on iOS or iPadOS, given that on these operating systems the bug is present in any browser, due to Apple’s ban on the browser engines of third-party apps.