According to FingerprintJS researchers, a bug in the Safari 15 browser allows any website to track a user’s Internet activity and possibly reveal their identity.
“Additionally, vulnerabilities such as cross-site scripting also allow targeting through trusted sites, although the risk is much lower. Another alternative for Safari users on Mac is to temporarily switch to another browser .
However, on iOS and iPadOS this is not an option as all browsers are affected, so users on these platforms should wait for Apple to release a fix.
Safari 15’s private mode is also affected by the leak, the report says. While browsing sessions in private Safari windows are limited to a single tab, reducing the scope of information available through the leak, if a user visits multiple different websites in the same tab, all databases with which these websites interact is disclosed to all subsequently visited websites. .
At issue is the implementation of the IndexedDB API which allows any website to track a user’s internet activity. IndexedDB is a browser API for client-side storage designed to hold massive amounts of data, the report says. It is supported by all major browsers and is very commonly used. As IndexedDB is a low-level API, many developers choose to use wrappers which abstract most of the technical aspects and provide an easier to use and developer-friendly API.
IndexedDB follows the same-origin policy, a fundamental security mechanism that limits how documents or scripts loaded from one origin can interact with resources from other origins. An origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. Indexed databases are associated with a specific origin, the report says. Documents or scripts associated with different origins should never have the ability to interact with databases associated with other origins.
However, according to the researchers, in Safari 15 on macOS and in all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy. Each time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session. Windows and tabs generally share the same session, unless you switch to another profile in Chrome, for example, or open a private window.
“The fact that database names are leaking across different origins is a clear breach of privacy,” the researchers say. “It allows arbitrary websites to learn which websites the user is visiting in different tabs or windows. This is possible because database names are usually unique and website-specific. Additionally, we have observed that in some cases, websites use user-specific unique identifiers in database names, which means that authenticated users can be uniquely and accurately identified.
“This means authenticated users can be uniquely and accurately identified. Some popular examples would be YouTube, Google Calendar or Google Keep. All these websites create databases which include the authenticated Google user ID and in case the user is logged in to multiple accounts, databases are created for all these accounts.