Same-origin breach vulnerability in Safari 15 could leak a user’s website history and identity


The fix is ​​apparently coming

A vulnerability affecting the Safari browser could leak a user’s identity and website history, researchers have warned.

The problem was introduced in Safari’s implementation of the IndexedDB API in its latest offering, version 15. IndexedDB is a browser API for client-side storage designed to hold large amounts of data.

To prevent data leaks due to cross-site scripting (XSS) attacks, IndexedDB follows the same-origin policy, controlling which resources can access each piece of data.

Learn about the latest security vulnerabilities news

The same-origin policy limits how documents or scripts uploaded from one origin can interact with resources from other origins. It also prevents malicious script on one page from accessing sensitive data on another web page.

A blog post from FingerprintJS researchers who discovered the bug revealed that in Safari 15 on macOS and in all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy in the WebKit implementation, leading to user information made accessible.

“It allows arbitrary websites to learn which websites the user visits in different tabs or windows,” the blog post explains. “This is possible because database names are usually unique and website-specific.

“precisely identified”

“Additionally, we observed that in some cases, websites use user-specific unique identifiers in database names. This means that authenticated users can be uniquely and accurately identified.

“Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the Google Authenticated User ID and in case the user is logged in to multiple accounts, databases are created for all these accounts.

Not only can untrustworthy or malicious websites therefore potentially learn a user’s identity, but it could also link multiple separate accounts used by the same user.

YOU MIGHT ALSO LIKE Introducing vAPI – an open source lab environment to learn about API security

The researchers noted that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user is visiting in real time, they explained.

Alternatively, websites can open any website in an iframe or popup to trigger an IndexedDB-based leak for that specific site.

FingerprintJS claims that more than 30 of the Alexa Top 1000 sites use indexed databases directly on their homepage, potentially leaving them at risk of the bug, although they “expect the number to be significantly higher in real scenarios.

Correct incoming?

A proof of concept can be found in the FingerprintJS blog post.

Apple has been made aware of the issue and, according to researchers, engineers have confirmed that they have resolved the issue. However, FingerprintJS claims that the problem is still present.

In the meantime, users “can’t do much” to protect against the vulnerability, the researchers explained.

They wrote: “One option may be to block all JavaScript by default and only allow it on trusted sites. This makes modern web browsing impractical and probably not a good fit for everyone.

“Additionally, vulnerabilities such as cross-site scripting also allow targeting through trusted sites, although the risk is much lower.

“Another alternative for Safari users on Mac is to temporarily switch to another browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected.

The daily sip contacted FingerprintJS and Apple to inquire about the arrival of a suitable fix.

This article will be updated as we receive feedback.

RECOMMENDED Researcher Reveals Alleged Zero-Day Vulnerabilities in NUUO NVRmini2 Recording Device

Source link


About Author

Comments are closed.