Securing APIs properly is extremely important. Back in August 2021, the default configuration in Microsoft's Power Apps portals led to 38 million records being leaked due to a publicly accessible API hosting confidential information. Now, security researchers have identified a similar bug in a Safari 15 API that can leak your personal data.
Security researchers over at FingerprintJS have located an issue in the implementation of the IndexedDB API which should follow the same-origin security mechanism where indexed databases, scripts, and documents of one origin should not be able to interact with objects from another origin.
However, IndexedDB violates this policy. The researchers have noted that every time a website communicates with a database, Safari 15 on macOS and all versions of the browser on iOS and iPadOS 15 create a new and empty, but shared, database in all active tabs, frames, and windows inside the same browser session. What's worse is that this cross-origin duplicated database is created with the same name as the original which means that it's easier for a malicious website author to determine the sensitivity of the data you are accessing.
The security analysts have noted that some websites such as YouTube, Google Calendar, and Google Keep create databases based on IDs such as Google User ID, which can then be used to track and link heterogeneous data belonging to an individual. The blog post mentions that:
Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.
Essentially, any website that uses IndexedDB is affected, which also means that users of those websites have their privacy at risk. What's worse is that even people using Safari in private mode are not safe, although the fact that private mode is restricted to a single tab reduces the potential extent of data leakage. However, if you visit multiple websites in the same tab, your data will leak over to all those websites.
FingerprintJS reported the issue to Apple on November 28, 2021 but Safari has received no update for this bug so far. The researchers have also published proof-of-concept code and a demo of the bug publicly which also means that there is a higher chance of malicious actors leveraging from the exploit and that Apple will need to push out a fix as soon as possible.
For now, the only way to protect yourself from data leakage and tracking is to block all JavaScript by default but that will likely hamper your browsing experience. People using macOS can also switch to a different browser for the time being but this workaround will unfortunately not work for iOS users since all browsers on Apple's mobile OS are based on WebKit, which means that they are also affected.
7 Comments - Add comment