A bug in the Safari 15 browser lets any website track a user’s internet activity and possibly reveal their identity, according to researchers at FingerprintJS.
“Unfortunately,” the company said in a posting, “there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted. This makes modern web browsing inconvenient and is likely not a good solution for everyone.
“Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller. Another alternative for Safari users on Macs is to temporarily switch to a different browser.
However, on iOS and iPadOS this is not an option as all browsers are affected, so users on those platforms have to wait until Apple issues a fix.
Private mode in Safari 15 is also affected by the leak, says the report. While browsing sessions in private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak, if a user visits multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.
The problem is the implementation of the IndexedDB API that lets any website track a user’s internet activity. IndexedDB is a browser API for client-side storage designed to hold significant amounts of data, the report says. It’s supported in all major browsers and is very commonly used. As IndexedDB is a low-level API, many developers choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.
IndexedDB followings Same-origin policy, a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins. An origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. Indexed databases are associated with a specific origin, says the report. Documents or scripts associated with different origins should never have the possibility to interact with databases associated with other origins.
However, the researchers say, in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile in Chrome, for example, or open a private window.
“The fact that database names leak across different origins is an obvious privacy violation,” say the researchers. “It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.
“This means that authenticated users can be uniquely and precisely identified. Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.”