For the past For four months, Apple’s iOS and iPadOS devices and the Safari browser violated one of the Internet’s sacrosanct privacy policies. Violation is the result of a bugs leak user identity and real-time browsing activity.
The same-origin policy is a foundational security mechanism that prohibits documents, scripts, or other content loaded from a certain origin — that is, the protocol, domain, and port of a certain website or application — from interacting with other documents. origin from other sources. Without this policy, malicious websites — such as badguy.example.com — could access credentials for Google or another trusted website when it opens in another browser window or tab.
A clear violation of privacy
Since the release of Safari 15 in September and iOS and iPadOS 15, this policy has since been widely dismantled, The study was published last weekend establish. As a demo site graphically revealed, it is trivial for a website to learn the domain names of web pages open in other tabs or windows, as well as user IDs and other identifying information associated with other websites. often.
Martin Bajanik, a researcher at security firm FingerprintJS, writes: “The leak of database names across multiple origins is a clear violation of privacy. He continued:
It allows arbitrary websites to learn what websites users visit in different tabs or windows. This can happen because database names are usually unique and site-specific. Furthermore, we observed that in some cases, websites use unique user-specific identifiers in the database name. This means that authenticated users can be uniquely and precisely identified.
Attacks that operate on Mac runs Safari 15 and on any browser running on iOS or iPadOS 15. As the demo shows, safarileaks.com can detect the presence of more than 20 websites — Google Calendar, YouTube, Twitter, and Bloomberg among them — open in other tabs or windows. With more work, a real-world attacker can find hundreds or thousands of web pages or sites that are detectable.
When a user logs into one of these sites, the vulnerability could be abused to reveal the visit and, in many cases, real-time identification information. For example, when signed in to a Google account opened elsewhere, the demo site may obtain an internal identifier that Google uses to identify each account. Those identifiers can often be used to identify the account holder.
Raise awareness
The leak is a result of the way the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers. It holds a large amount of data and works by creating a database when a new website is visited. Tabs or windows running in the background can continuously query the IndexedDB API for available databases. This allows a website to find out in real time what other websites a user is visiting.
Websites can also open any web page in an iframe or pop-up to trigger an IndexedDB-based leak for that particular site. By embedding an iframe or popup in its HTML code, a website can open another web page to cause an IndexedDB-based leak to the website.
“Every time a web page interacts with the database, a new (empty) database with the same name is created in all other active frames, tabs and windows in the same browser session, ‘ wrote Bajanik. “Windows and tabs generally share the same session, unless you switch to a different profile, such as in Chrome or open a private window.”
