Bug in Safari causes Google history and other data to be leaked to iOS users

A bug in the version 15 implementation of Safari, present also for other browsers in iOS and iPadOS, leads to the leaking of users' confidential information, such as browsing history or data corresponding to their personal accounts in Google.

As indicated by the fraud detection service FingerprintJS on his blog, this bug is due to an implementation failure of the IndexedDB application programming interface (API) in Safari for MacOS and in any browser on iOS 15 and iPadOS 15, due to Apple's requirement that browsers use the WebKit engine on their operating systems.

As they explain, this API would be violating the same origin policy (SOP), a security mechanism that restricts the interaction between the documents or 'scripts' loaded from one source with content from other locations.

An origin is differentiated by its scheme or protocol, the domain name and URL used to access it, and each database is associated with a specific origin. In this way, those documents and information associated with other sources should not have the possibility of interacting with foreign databases.

As FingerprintJS has seen in a simulation on Safari for MacOS and the affected browsers on iOS and iPadOS 15, this interaction allows encrypted websites to pull information from google, as well as their histories and the content of browser windows.

Every time a website interacts with a specific database, it is duplicated with the same name in the other active tabs and pages within the same browser session, even though it is empty of content. However, the creation of another database with the same name is enough so that data such as the Google username can be extracted from it.

From FingerprintJS they indicate that more than 30 of the thousand most visited websites, according to the rankign of Alexa, "interact with external databases directly on your home page, without any additional user interaction or need for authentication", although it is suspected that there may be more pages capable of leaking sensitive data.

Apple was notified of this problem on November 28 and, until now, has not commented on this bug. At the moment, there seem to be two possible solutions to stop data leakage: use an ad blocker (for example, the extension AdBlock) or opt to block JavaScript. FingerprintJS also recommend changing the default browser on MacOS to something other than Safari.


Source link