• Exploiting IndexedDB API information leaks in Safari 15

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Exploiting IndexedDB API information leaks in Safari 15

    • This topic has 0 replies, 1 voice, and was last updated 4 months ago.
    Author
    Topic
    #2418616

    https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/

    In this article, we discuss a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and even reveal your identity.

    We have also published a demo site to see the vulnerability in action:

    Try the demo

    In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window. For clarity, we will refer to the newly created databases as “cross-origin-duplicated databases” for the remainder of the article.

    Why is this leak bad?

    The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. ..

    Unfortunately, there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted.Unfortunately, there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted…

    Another alternative for Safari users on Macs is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected..

    The only real protection is to update your browser or OS once the issue is resolved by Apple.

    Reply To: Exploiting IndexedDB API information leaks in Safari 15

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.