Share this:

Like this:

Safari 15 could leak Google Account information to malicious websites • The Register

An incorrectly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.

The vulnerability was discovered by the fraud detection service Fingerprint JS, which contacted WebKit maintainers and provided a public source code repository.

On November 28 last year, the problem was not resolved, so the team at Fingerprint JS decided to publish the result to encourage the expedition of its repair.

The commonly used low-level JavaScript API, called IndexedDB, follows the same origin policy, which means that documents or scripts associated with one origin should not interact with resources associated with other origins. A web page opened in one tab of the browser should not be able to share data with the next tab for obvious reasons, such as if one tab was used to access a user's bank and the other a malicious website .

However, in the case of this particular indexed database, the separate pages interact, putting the user at risk. When you use Safari 15, which relies on IndexedDB, every time a site interacts with a database, a new empty one with the same name is created in all active frames, tabs, and windows in the same browser session. This results in other websites having access to the name of the databases. The Safari error can then reveal publicly available information from e.g. a Google Account.

Users logged in to their Google Account will have their unique Google User ID placed in the database name. Database names can then be used to extract identifying information from a lookup table if websites scrape the Google user ID and use it to find personal information.

But not only can a malicious website learn the identity of the user, it can put together several separate accounts from the same user without this person doing anything other than running a window in the background. The malicious website can open other websites if it is programmed in an iframe or popup, thus opening a Pandora's box with leaky data.

Fingerprint JS made a video explaining the process:

Youtube video

The team found that more than 30 sites out of Alexa Top 1000 interacted with indexed databases on their website without the user doing anything, and they reckon there are tons more out there.

Unfortunately, browsing in private mode did not solve the problem, although the scope of information available via the leak is more limited by the nature of the tool.

The fraud detection service created a demo to identify the sites that a Google Account user has opened or recently opened. It looks for over 20 specific sites that it knows are problematic when used in conjunction with Safari 15 on macOS, iOS 15 or iPadOS 15, as Apple requires WebKit to be used with these browsers and a Google account.

Aside from blocking JavaScript, not using Google Accounts, or switching to different browsers, if available (not available for iOS and iPadOS) while browsing the web on an Apple product, there is little to do but wait , said the team.

It's all a bit ironic considering that in June 2020, Apple refused to implement 16 web APIs in Safari's WebKit engine, claiming they posed a privacy threat. Some researchers hailed the move as a victory for privacy, but many mocked the decision, saying the action was taken to force the use of native iOS apps and the income they bring in.

Of course, this kind of our-only-product approach goes beyond browsers for the company. Last week, Apple was forced to stop pulling its feet and allow third-party app billing systems in Korea under the country's Telecommunications Business Act. Google was ordered to do the same in September and compiled in November - over two months before Apple.

Steamrolling using WebKit and thus IndexedDB has been problematic in the past. A bug in Safari 14.1.1 on macOS 11.4 and iOS 14.6 that manifests itself when applications first try to use IndexedDB NoSQL manager to store data caused user outrage in June last year. An open source developer described Apple as "directly hostile to the web." ®

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this:

Like this:

%d bloggers like this: