A software bug introduced in Apple Safari 15’s implementation of the IndexedDB API could be abused by a malicious website to track users’ online activity in the web browser and worse, even reveal their identity.
The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021.
IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database of structured data objects such as files and blobs.
“Like most web storage solutions, IndexedDB follows a same-origin policy,” Mozilla notes in its documentation of the API. “So while you can access stored data within a domain, you cannot access data across different domains. “
Same-origin is a fundamental security mechanism that ensures that resources retrieved from distinct origins — i.e., a combination of the scheme (protocol), host (domain), and port number of a URL — are isolated from each other. This effectively means that “http[:]//example[.]com/” and “https[:]//example[.]com/” are not of the same origin because they use different schemes.
By restricting the way a script from one origin interacts with a resource of another origin, it is possible to reduce potentially malicious scripts.
But that’s not the case with how Safari handles the IndexedDB API in Safari across iOS, iPadOS, and macOS.
“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy,” Martin Bajanik said in a write-up. A website that interacts with a databank creates a new empty database. This happens in every other tab, active frame, or window within the browser session. “
This privacy breach allows websites to see what websites users are visiting on different tabs and windows. It also permits websites to identify specific users using Google services such as YouTube or Google Calendar. These websites then create IndexedDB database that includes authenticated Google User IDs. An internal identifier that uniquely identifies one Google account.
“This does not only imply that malicious or untrusted websites could learn the identity of a user, it also permits the linking up multiple accounts owned by the same person,” Bajanik stated.
To make matters worse, the leakage also affects Private Browsing mode in Safari 15 should a user visit multiple different websites from within the same tab in the browser window. Apple has been contacted for comment. We will update this story when we get back to them.
“This is a huge bug,” Jake Archibald, developer advocate for Google Chrome, tweeted. “On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. “
