New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking

Introduction:

Recently, a new security issue was found in the IndexedDB API which is used by the Safari browsers for managing a NOSQL database of structured data objects such as files and blobs. The software bug that was introduced in the implementation of Apple Safari 15 of the IndexedDB API can be misused by dangerous internet sites to monitor the web activities of the user in the web browser and even worse, expose their personal information as well.

The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the problem to the iPhone manufacturer on November 28, 2021.

 

Main Concern:

The same-origin policy is a fundamental security mechanism that guarantees that the resources retrieved from different origins, are isolated from each other. This means that this “HTTP [:] // example [.] COM /” and “HTTPS [:] // example [.] COM /” are not of the same origin because they use different schemes.

“In Safari 15 on MacOS, and in all browsers on iOS and iPados 15, the IndexedDB API breaks out the same-origin policy,” said Martin Bajanik by writing. “Whenever a website interacts with a database, a new database (empty) with the same name is created in all other active images, tabs and windows in the same browser session.”

A consequence of this violation of privacy is that it allows different websites to know about the other websites that a user is visiting in different tabs or Windows, not to mention it also accurately identifies users in Google Services such as YouTube and Google Calendar since these websites create IndexedDB databases that include Google’s authenticated user identifications such as the user ID.

This Google user ID is used as an internal identifier in Google and relates to a single account. It is also possible to draw personal information from Google APIs using this identifier, which could help sites fully identify the user.

To aggravate things, the leak also affects private browsing mode in Safari 15 If a user visits several different websites from the same tab in the browser window.

Apple has continuously tried to focus on safari privacy, with the introduction of initiatives to prevent cross-site tracking and safari privacy reports aimed at helping protect users. However, an error in how safari functions may have undone all that work.

 

Recommendations:

The users are required to apply these settings for preventing them from cross-site tracking in Safari browser:

On Mac:

  1. Open Safari
  2. Open Safari Preferences, by clicking on the `Safari` menu on the left of the menu bar, and clicking on `Preferences`, or by pressing `⌘,`.
  3. Click on the `Privacy` tab.
  4. Uncheck the `Prevent cross-site tracking` check box.
  5. Close the Preferences window.

On iPhone

  1. Open Settings
  2. Open the Safari section.
  3. Under the `Privacy` heading, make sure the `Prevent Cross-Site Tracking` switch is off.
  4. Go back to the Home screen, open Safari again, and try again