Archive for January 17, 2022

Monday, January 17, 2022

Safari 15 IndexedDB Information Leaks

Martin Bajanik (Hacker News, MacRumors):

In this article, we discuss a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and even reveal your identity.


In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.


The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.


In this case, private mode in Safari 15 is also affected by the leak.


Apple engineers began working on the bug as of Sunday, have merged potential fixes, and have marked our report as resolved. However, the bug continues to persist for end users until these changes are released.

The bug was originally reported in November.

Jake Archibald:

This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.

Alex Russell:

TFW you tell regulators you need to prevent real competition “because privacy and security”[…]


Some of us are salty about this because:

  1. our engines don’t have this problem
  2. our products on iOS do have this problem
  3. Apple won’t let us keep our users safe

Safari 15 IndexedDB Leaks (Hacker News):

The demo illustrates how any website can learn a visitor's recent and current browsing activity (websites visited in different tabs or windows) using this leak. For visitors, logged into Google services, this demo can also leak Google User IDs and profile pictures.


Update (2022-01-19): Nick Heer:

You know what is most wild about this for me? I came across this bug when working on some web development last autumn, but I assumed I must be misinterpreting what I was seeing because there was no way such a critical vulnerability would be so transparently visible.

Update (2022-01-25): Juli Clover:

With the macOS Monterey 12.2 and iOS 15.3 release candidates now available, we could see these updates be made available to the public as soon as next week.

StoreKit External Purchase Entitlement for Netherlands

Hartley Charlton (tweet):

In a message posted on its developer site late on Friday, Apple announced that it will comply with a Netherlands Authority for Consumers and Markets (ACM) ruling that compels the company to allow third-party payment services to pay for in-app purchases in dating apps. Dutch dating apps that link out to or use a third-party in-app payment provider will still need to pay a commission to Apple on transactions.

Benjamin Mayo (tweet):

Developers will need to create and maintain a completely separate app binary which includes special entitlements, and is only made available in the Netherlands App Store.


Because we do not believe these orders are in our users’ best interests, we have appealed the ACM’s decision to a higher court.

John Gruber:

The piecemeal regulations popping up around the world are so odd. Only dating apps and only in the Netherlands. Again, alternate payment processing in-app is not the answer, if Google and Apple are still going to take their cut of each transaction. Just send users to the web to process payments outside the app, and stipulate that apps must be allowed to link to their websites.

Michael Love:

Interesting question is how they’re going to collect these commissions absent the ability to intercept purchase data; perhaps they view this small-scale experiment (one type of app in one small-ish market) as a good chance to work on that.

Sami Fathi:

Now that Apple has announced changes, the ACM wants to assess whether those changes meet the requirements of its previous ruling, according to a press release. As part of its probe into the changes, the ACM will meet with dating app providers, such as The Match Group, which owns Tinder, to ensure Apple’s changes sufficiently address concerns.


Small Developer Assistance Fund Claims

Juli Clover:

Apple in August announced plans to pay $100 million to settle a class-action lawsuit levied by U.S. developers, and as of today, the website that will allow developers to submit a claim for a payout has gone live.


Developers need to submit claims by May 20, 2022 to get a payment from Apple, and there will be a final approval hearing on June 7, 2022. The actual payout date will vary based on whether there are objections, how long it takes to resolve those objections, and whether the agreement receives final approval from the court.

This only applies to sales in the US, and it’s only for iOS developers.

Paul Haddad:

This page has a form to figure out how much you’ll get from Apple for settlement money. All you need is your Team ID, or I’m pretty sure anyones easily discoverable Team ID…


Photo Ninja

Mikael Thalen (via John Wilander):

Photo Ninja uses a novel series of steganography, detection perturbation, visible overlay, and several other AI-based enhancement processes to shield your images from reverse image searches without compromising the look of your photo,” the company said.


The service can be used for a range of purposes. For example, a user can run their photos through the tool prior to uploading them to dating apps such as Tinder, ensuring that other users can’t use their pictures in a reverse image search in order to locate their other social media profiles.