Safari is back in the spotlight. A few days ago, operators were furious about a new function that would prevent blocking web pages or knowing the browsing history of users. Now, a bug in Safari allows a attacker know all your history and your unique identifier from your Google account.
The vulnerability was discovered by the fraud detection service FingerprintJS, who contacted the creators of the affected WebKit and offered the code for free and openly to fix it. The bug has not been fixed, and for this reason the Fingerprint JS team has decided to make the vulnerability public to speed up its patching.
The bug is not patched
The fault lies in a bad implementation of the IndexedDB API. This API is designed so that documents or scripts originated from a site do not interact with resources from other sources. A website opened in one tab should not be able to share data with another tab, all of them always being isolated from each other. Otherwise, a malware could know, for example, our bank details.
However, the Safari vulnerability allowed separate web pages to interact with each other. if you use Safari 15, what do you use IndexedDB, every time a web interacts with a database, a new empty one with the new name is created with all active frames, tabs and windows in the same browser session. The consequence is that other websites can access the names of the databases, being able to know, for example, information about a Google account.
Among that information is the unique identifier of a Google account. With this, an attacker can obtain personal information, and identify multiple accounts that the user has separately. The team of researchers has discovered that, of the 1,000 most visited websites In the world according to the Alexa ranking, there are 30 that use vulnerable indexed databases. Browsing in incognito mode or private mode does not solve the problem, although it does help limit the amount of information available.
Avoid using Safari while it’s being patched
The team that discovered the vulnerability has created a demo to identify sites that a user with a Google account has recently opened or accessed. The web searches for 20 specific web pages on which the vulnerability works if used Safari 15 with macOS, iOS 15, or iPadOS 15.
As it is not patched, the only thing that can be done to avoid being affected is block javascript, do not use google accounts, or use another web browser. Interestingly, Apple refused in June 2020 to implement 16 Web APIs in Safari’s WebKit arguing that they could represent a problem for privacy. However, many argued that this move was made to force users to use native iOS apps.