Apple’s Safari 15 browser contains a vulnerability that allows any website to track users’ online activity. The vulnerability could also reveal the identity of the user. FingerprintJS, a browser fraud detection service, has discovered this.
FingerprintJS writes On his blog about the vulnerability in the form of IndexedDB API implementation. The vulnerability is not only in Safari 15 on macOS, but also in all browsers on iOS and iPadOS 15. Implementation of this API in Safari 15 means that every time a website connects to a database, a new empty database with the same name has been created. Created in all windows, tabs and other windows in the same browser session. According to FingerprintJS, this is a violation of same origin-Policy.
indexed db an average client side storage, It contains a large amount of data in a Supported by all major browsers. Like many similar APIs, Indexed Database uses the . extension same origin-Policy. This means that there are limitations to how scripts or documents can be loaded from one source and that it is simply not possible to connect to another source.
According to FingerprintJS, this principle is being violated and the fact that database names can be leaked across multiple sources is a clear breach of privacy. It allows random websites to detect which websites the user visits in other tabs or windows. Depending on the service, this is possible because database names are usually unique and assigned to the website.
In addition, FingerprintJS also specifically indicates that in some cases websites have unique user-specific features. identifiers in database names. This means that authenticated users can be identified very precisely. Additionally, YouTube, Google Calendar, or Google Keep are mentioned as examples of sites that create databases containing an authenticated Google User ID. If the user is logged into multiple accounts, databases are created for all these accounts. Based on this, malicious websites can track a user’s identity and it is still possible to link multiple and separate accounts of the same user together.
The vulnerability in Safari 15 affects not only macOS but all browsers on iOS and iPadOS 15, all of which use the WebKit engine as per Apple App Store regulations. According to FingerprintJS, there’s not much users can do about this vulnerability other than taking “strict measures”, such as blocking all JavaScript by default and only allowing it on trusted sites. FingerprintJS says there is only one real solution: update your browser or OS once the problem is fixed by Apple. The latter has not yet happened. The vulnerability was reported on November 28 last year.