FingerprintJS, a fraud prevention software company, disclosed recently that a vulnerability in the IndexedDB API in Safari 15 has been exploited by malicious websites, which may be used to track users' web browsing data. Worse still, this vulnerability even poses a risk of exposing users' identities.
FingerprintJS has named this vulnerability IndexedDB Leaks and reported the issue to Apple Inc. on November 28, 2021.
IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing NoSQL databases that store structured data objects (such as file and blob type data).
The Mozilla organization points out in its API documentation: "Like most network storage solutions, IndexedDB follows the same-origin policy, so users can access stored data within a domain but not across different domains."
The same-origin mechanism is a basic security mechanism that ensures resources obtained from different sources are isolated from each other. That is, the scheme (protocol), host (domain), and port number of the URL are isolated from each other. By limiting how scripts loaded from one source can interact with resources loaded from another source, it can prevent malicious websites from running arbitrary JavaScript code to read data from another domain (such as an email service), thus isolating potential malicious scripts and reducing potential attack vectors.
However, Safari browser does not handle the Safari IndexedDB API across iOS, iPadOS, and macOS systems in this way. Each time a website interacts with the database, a new empty database with the same name is created in all other activity boxes, tabs, and windows in the same browser session.
This privacy-invasive approach allows websites to access other websites visited by the user in different tabs or windows. Not to mention accurately identifying users on Google services such as YouTube and Google Calendar. Because these websites create IndexedDB databases that contain authenticated Google user IDs, which are the internal identifiers that uniquely identify a single Google account.
This not only means that untrusted or malicious websites can learn about the user's identity, but also allows websites to link together multiple separate accounts used by the same user.
Worse still, if a user is accessing multiple different websites from the same browser tab, they are not immune even if they are using the private browsing mode in Safari 15 browser.
"This is a huge vulnerability," Google Chrome developer advocate Jake Archibald wrote on Twitter. "On the OSX operating system, Safari users can temporarily switch to another browser to avoid their data leaking across sources, but iOS users do not have such an option because Apple bans other browser engines."
Reference source:
https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html
评论已关闭