Bug in Safari WebKit engine leaks data

by Emma Davis
January 17, 2022
Bug in Safari engine
Written by Emma Davis

A bug in the IndexedDB API in the Safari WebKit engine can be used by malicious sites to track users’ online activity and reveal their identity.

The vulnerability was dubbed IndexedDB Leaks and was discovered by FingerprintJS, a company that develops anti-fraud software. Researchers notified Apple developers about the problem back in November 2021.

IndexedDB is a widely used browser API that provides a general-purpose client-side storage system (with no capacity limits). The API is typically used to cache web application data for offline viewing. In addition, modules, development tools and extensions can use it to store information.

To prevent potential data leaks through XSS attacks, IndexedDB adheres to the Same Origin Policy, controlling which resources can access certain pieces of data. However, FingerprintJS analysts have found that IndexedDB does not follow the SOP in Safari 15 on macOS, resulting in the disclosure of sensitive data.

Browsers that use the same engine in the latest versions of iOS and iPadOS are also affected by the bug. In addition, the root of the problem lies in WebKit, which means that any browser that uses this engine (for example, Brave or Chrome for iOS) is also vulnerable. To check your browser for leaks, you can visit a special page created by FingerprintJS analysts.

YouTube player

Experts explain that the bug allows any site to find out the names of databases created within a single session. Since the database names are unique and site-specific, the bug actually provokes a leak of a browsing history. Worse, some database names contain user IDs, so a leak can lead to user identification as well.

According to analysts, to identify a person using this vulnerability, you need to log in and visit popular sites such as YouTube and Facebook, or services such as Google Calendar and Google Keep. When you sign in to these resources, a new database, IndexedDB, is created with the user’s Google ID appended to its name. When using multiple Google accounts, separate databases are created for each of them.

We checked the home pages of the top 1,000 most visited websites by Alexa to see how many sites use IndexedDB and can be uniquely identified by the databases they interact with. The results show that more than 30 sites interact with the indexed databases directly on their home page without any additional user interaction and without the need for authentication.the experts say.

Although Apple reported the vulnerability as early as November 28, 2021, the bug is still unresolved. One way to temporarily mitigate this problem is to completely block JavaScript, but this can cause problems for many sites.

Let me remind you that not only Safari browser has issues. We wrote that Firefox has fixed the “evil cursor” problem, and also that Google Chrome developers fix conflict with antiviruses in Windows 10.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending