Apple Safari Bug Allows for Web User Tracking
Table of Contents
- By David Lukic
- Published: Jan 17, 2022
- Last Updated: Mar 18, 2022
Apple Safari users should be aware that the browser has an unpatched bug that permits cross-site user tracking. The bug is present within the IndexedDB API of Apple Safari 15. It is possible the bug will be abused by a nefarious webmaster to track web surfers’ online activity within the browser. There is even a chance such tracking can reveal the identity of web surfers. Let’s take a closer look at the details of the bug to give Apple Safari users a sense of why it has the potential to lead to identity theft and other problems.
What is the Specific Safari Vulnerability?
The bug is referred to as Indexed Leaks. This security flaw was identified by FingerprintJS, a fraud protection business. The company reported the bug to Apple in late November of ’21.
IndexedDB is best described as a JavaScript application programming interface that web browsers use to manage NoSQL databases of data, including blobs and files. Mozilla’s documentation of the bug states IndexedDB adheres to same-origin like the majority of internet storage solutions. Same-origin is an essential digital security mechanism that guarantees resources are obtained from specific origins, meaning a host, protocol, and URL port number that are separate from one another. In plain terms, this means URLs with subtle differences such as an “s” after “http” are not the same origin as they have unique schemes.
The bug is considered low-level. The restriction of the script loaded through a single origin interacts with a separate origin’s resources, isolating harmful scripts and decreasing the potential for attack vectors with the prevention of rogue sites operating JavaScript to analyze data from a separate domain such as an email service.
Why is the Bug an Issue Restricted to Safari?
Safari’s handling of IndexedDB API in macOS, iPadOS, and iOS is a major issue. Safari 15’s IndexedDB API does not adhere to same-origin, meaning the interaction of sites with the database creates an empty and new database with the same name generated in additional active windows, tabs, and frames in the browsing session.
Why is the Bug so Problematic?
The privacy violation is an issue as it empowers webmasters to view the web browsing activity of web surfers. Webmasters can also identify users on a wide range of Google services ranging from Google Calendar to YouTube and beyond as those sites generated IndexedDB databases with authenticated Google User identifications. Such identifications are considered internal identifiers that pinpoint one Google account.
In plain English, the language above means a harmful site has the potential to identify a web surfer’s identity and connect separate accounts that that individual uses. The ramifications of the bug are amplified more as the leak impacts Private Browsing mode if the user surfs his or her way over to several unique websites within a single web browsing tab.
