A vulnerability in Apple’s implementation of the IndexedDB API in Safari 15 allows websites to track users’ activity on other sites and even to reveal their identity, browser fingerprinting and fraud detection firm FingerprintJS explains.
Used in all major browsers, IndexedDB is a low-level browser API for storing client data, which follows the same-origin policy, to restrict the interaction of resources that have different origins.
Because indexed databases are associated with their specific origin, scripts that have a different origin should not be able to interact with those databases that have other origins.
However, FingerprintJS discovered that, in Safari 15 on macOS and in the browsers running on iOS and iPadOS 15 devices, the IndexedDB API is violating the same-origin policy.
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” FingerprintJS explains.
The existence of these “cross-origin-duplicated databases” means that arbitrary websites can learn what other sites the user is visiting in other tabs or windows, because database names are typically website-specific.
In some cases, unique user-specific identifiers are used in the database name, which could allow for the identification of authenticated users.
Websites such as Google Calendar, Google Keep, and YouTube, for example, create databases containing the authenticated user’s Google ID. Databases are created for all of the accounts a user is logged into.
The Google User ID can be used to uniquely identify a specific Google account, and can be used with Google APIs to fetch available information on the account owner, including a user’s profile picture, at a minimum.
“Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” FingerprintJS explains.
No user interaction is required for these data leaks to occur, as websites querying the IndexedDB API can learn of other sites in real-time.
FingerprintJS has created a demo page which, once accessed in a vulnerable browser, shows how the user’s identity is leaked, if they are logged into their Google account in the same browser.
To protect themselves, Safari, iOS, and iPadOS users could block JavaScript on all sites that are not trusted, which is a drastic and inconvenient option. On macOS, users could switch to a different browser.
“The only real protection is to update your browser or OS once the issue is resolved by Apple,” FingerprintJS concludes.
Related: Apple Patches iOS HomeKit Flaw After Researcher Warning
Related: Apple Patches Vulnerabilities That Earned Hackers $600,000 at Chinese Contest
Related: Apple Patches 42 Security Flaws in Latest iOS Refresh
