{"id":34720,"date":"2022-01-17T14:49:38","date_gmt":"2022-01-17T19:49:38","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34720"},"modified":"2022-01-25T16:21:30","modified_gmt":"2022-01-25T21:21:30","slug":"safari-15-indexeddb-information-leaks","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/01\/17\/safari-15-indexeddb-information-leaks\/","title":{"rendered":"Safari 15 IndexedDB Information Leaks"},"content":{"rendered":"

Martin Bajanik<\/a> (Hacker News<\/a>, MacRumors<\/a>):<\/p>\n

In this article, we discuss a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and even reveal your identity.<\/p>

[…]<\/p>

In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.<\/p>

[…]<\/p>

The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.<\/p>

[…]<\/p>

In this case, private mode in Safari 15 is also affected by the leak.<\/p>

[…]<\/p>

Apple engineers began working on the bug as of Sunday, have merged potential fixes<\/a>, and have marked our report as resolved. However, the bug continues to persist for end users until these changes are released.<\/p><\/blockquote>\n

The bug was originally reported<\/a> in November.<\/p>\n\n

Jake Archibald<\/a>:<\/p>\n

\n

This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.<\/p>\n<\/blockquote>\n\n

Alex Russell<\/a>:<\/p>\n

TFW you tell regulators<\/a> you need to prevent real competition “because privacy and security”[…]<\/p>

[…]<\/p>

Some of us are salty about this because:<\/p>

  1. our engines don’t have this problem<\/li>
  2. our products on iOS do<\/em> have this problem<\/li>
  3. Apple won’t let us keep our users safe<\/li><\/ol><\/blockquote>\n\n

    Safari 15 IndexedDB Leaks<\/a> (Hacker News<\/a>):<\/p>\n

    \n

    The demo illustrates how any website can learn a visitor's recent and current browsing activity (websites visited in different tabs or windows) using this leak. For visitors, logged into Google services, this demo can also leak Google User IDs and profile pictures.<\/p>\n<\/blockquote>\n\n

    Previously:<\/p>\n