Bug in Safari can leak browsing activity, user identity, says report

A bug in the Safari 15 browser lets any website track a user’s internet activity and possibly reveal their identity, according to researchers at FingerprintJS.

“Unfortunately,” the company said in a posting, “there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted. This makes modern web browsing inconvenient and is likely not a good solution for everyone.

“Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller. Another alternative for Safari users on Macs is to temporarily switch to a different browser.

However, on iOS and iPadOS this is not an option as all browsers are affected, so users on those platforms have to wait until Apple issues a fix.

Private mode in Safari 15 is also affected by the leak, says the report. While browsing sessions in private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak, if a user visits multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.

The problem is the implementation of the IndexedDB API that lets any website track a user’s internet activity. IndexedDB is a browser API for client-side storage designed to hold significant amounts of data, the report says. It’s supported in all major browsers and is very commonly used. As IndexedDB is a low-level API, many developers choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.

IndexedDB followings Same-origin policy, a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins. An origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. Indexed databases are associated with a specific origin, says the report. Documents or scripts associated with different origins should never have the possibility to interact with databases associated with other origins.

However, the researchers say, in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile in Chrome, for example, or open a private window.

“The fact that database names leak across different origins is an obvious privacy violation,” say the researchers. “It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.

“This means that authenticated users can be uniquely and precisely identified. Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.