Browsers on iOS, iPadOS and Mac leak your browsing activity and personal identifiers

Browsers on iOS, iPadOS and Mac leak your browsing activity and personal identifiers

Researchers at FingerprintJS, a Chicago-based firm that specializes in online fraud prevention, have published a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and may even reveal your identity.

They found that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy; a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins.

Safari

Safari is developed by Apple and designed to be the default browser for the Operating Systems macOS, iOS and iPadOS. As such, it has a market share of around 20%, which makes it the most used browser after Chrome, which has a market share of over 60%.

The researchers found that the current version of WebKit, the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS, can be tricked into skipping the same-origin check. To put it simply, the names of all IndexedDB databases are available to any site that you are visiting in the same session. Actual access to the content of each database is restricted however.

IndexedDB

IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. It’s supported in all major browsers and is very commonly used. Normally, information stored in IndexedDB storage can only be accessed by a web page from the same domain that created it. If Google creates it, for example, the information cached there can only be accessed by another Google web page.

Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. This ID can be retrieved using this leak as well.

The leak

The information that can be gathered by exploiting this bug may seem limited at first sight. But it can disclose information about your recent browsing history and even some info about the logged-in Google account. So, it lets arbitrary websites learn what other websites you visit(ed) in different tabs or windows.

Additionally, some websites use unique user-specific identifiers in database names, which means that authenticated users can be uniquely and precisely identified. This includes, for example, your Google profile picture, which can be looked up using an ID attached to certain sites’ IndexedDB caches.

Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.

Exploitability

Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time. So, all the criminals have to do is get you to visit a site designed by them. In such a case of actively controlled exploitation, the attacker could tell websites to open any other website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.

Mitigation

Apple has acknowledged the bug and worked on a solution, marking the issue as resolved. This does not mean the fix will take effect immediately, however. Updates take time to roll out, and it could be a while before your devices receive the fix.

If you are worried about this leak, you can use private mode in Safari 15. But this only helps partially because private mode in Safari 15 is also affected by the leak. It only helps because private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak. If you visit multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.

Another way to limit the impact is to block all JavaScript by default and only allow it on sites that are trusted. But this makes web browsing very inconvenient and is likely not a good solution for everyone. Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller.

MacOS users can switch to another browser but, unfortunately, this is not an option on iOS and iPadOS as all browsers are affected on these operating systems.

Demo

For those interested, the researchers have created a demo that demonstrates how a website can learn the Google account identity of any visitor. The demo is available at safarileaks.com.

If you open the page and start the demo in an affected browser, you will see how the current browsing context and your identity is leaked right away. Identity data will only be available if you are authenticated to your Google account in the same browsing session.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.