Apple’s Safari 15 browser contains a vulnerability that allows any website to track users’ online activity. The vulnerability could also reveal the identity of the user. FingerprintJS, a browser fraud detection service, has discovered this.
FingerprintJS writes On his blog about the vulnerability in the form of IndexedDB API implementation. The vulnerability is not only in Safari 15 on macOS, but also in all browsers on iOS and iPadOS 15. Implementation of this API in Safari 15 means that every time a website connects to a database, a new empty database with the same name has been created. Created in all windows, tabs and other windows in the same browser session. According to FingerprintJS, this is a violation of same origin-Policy.
indexed db an average client side storage, It contains a large amount of data in a Supported by all major browsers. Like many similar APIs, Indexed Database uses the . extension same origin-Policy. This means that there are limitations to how scripts or documents can be loaded from one source and that it is simply not possible to connect to another source.
According to FingerprintJS, this principle is being violated and the fact that database names can be leaked across multiple sources is a clear breach of privacy. It allows random websites to detect which websites the user visits in other tabs or windows. Depending on the service, this is possible because database names are usually unique and assigned to the website.
In addition, FingerprintJS also specifically indicates that in some cases websites have unique user-specific features. identifiers in database names. This means that authenticated users can be identified very precisely. Additionally, YouTube, Google Calendar, or Google Keep are mentioned as examples of sites that create databases containing an authenticated Google User ID. If the user is logged into multiple accounts, databases are created for all these accounts. Based on this, malicious websites can track a user’s identity and it is still possible to link multiple and separate accounts of the same user together.
“Professional web ninja. Certified gamer. Avid zombie geek. Hipster-friendly baconaholic.”