Apple has long focused on privacy protection, strongly recommending its safari browser, such as deploying initiatives to prevent cross-site tracking and privacy reports. Recently, however, the software exposed a vulnerability in the handling of the IndexedDB API, which may lead to the failure of signing efforts and the disclosure of private information related to users' browsing habits.
(From FingerprintJS)
FingerprintJS, a browser fingerprinting service, pointed out in a blog post that Apple's implementation of the IndexedDB API in Safari 15 has a serious privacy data leakage risk.
The researchers note that the vulnerability allows any web tracker to spy on a user's internet activity and ultimately identify them.
It is reported that IndexedDB is a storage API adopted by the majority of browser clients, mostly used to save databases and other data.
Typically, a same-origin policy restricts what data can be accessed by a particular website.
In addition, only one website is generally allowed to access only the data generated by it, and not to touch the data of other websites.
Embarrassingly, in the Safari 15 for macOS, iOS, and iPadOS versions, we were surprised to find —
Whenever a web site interacts with its database, all other active frames, tabs, and windows in the same browser session create a new, empty database with the same name.
The resulting data breach is a problem because it allows sites with ulterior motives to know about different tabs in the same session, or other sites visited in a window.
The problem is also exacerbated by the fact that some databases have unique names that are specific to a site.
For sites that can share the same authentication credentials, such as Gmail and YouTube, the database name can also contain the same authenticated Google user ID.
How IndexedDB in Safari 15 leaks your browsing activity(via)
Testing found that an index database with a universally unique identifier was created by an ad network. Thankfully, Safari's tracking prevention feature prevents these database names from being leaked in this way.
Even the private browsing window is not immune to this issue, but browsing sessions are limited to a single tab, which mitigates the impact of this defect of the IndexedDB API to some extent.
At present, there is little user can do about this issue, and javaScript is blocked by default (only enabled on trusted sites, but may adversely affect the browsing experience).
MacOS users can temporarily choose other browsers (Google Chrome/Mozilla Firefox, etc.), but iOS/iPadOS users are not so lucky and have to wait for Apple and the WebKit development team to fix it in the next update.