Over the past four months, Apple’s iOS and iPadOS devices and the Safari browser have violated one of the Internet’s most sacrosanct security policies. The breach results from a bug that leaks user identities and real-time browsing activity.
the same origin policy is a fundamental security mechanism that prohibits documents, scripts, or other content loaded from an origin (i.e. the protocol, domain name, and port of a web page or application data) to interact with resources of other origins. Without this rule, malicious sites (eg, badguy.example.com) could access login credentials from Google or another trusted site when opened in another browser window or tab.
Obvious breach of privacy
Since the September release of Safari 15 and iOS and iPadOS 15, this policy has been wide open, research published late last week find. Like a demo site graphically reveals, it is trivial for a site to learn the domains of sites open in other tabs or windows, as well as user IDs and other credentials associated with other sites.
“The fact that database names are leaking across different origins is a clear violation of privacy,” wrote Martin Bajanik, software engineer at FingerprintJS, a startup that creates a device identification interface for anti-virus purposes. -fraud. He continued:
It allows arbitrary websites to learn which websites the user visits in different tabs or windows. This is possible because database names are usually unique and website-specific. Additionally, we have observed that in some cases, websites use user-specific unique identifiers in database names. This means that authenticated users can be uniquely and accurately identified.
The attacks work on Macs running Safari 15 and any browser running iOS or iPadOS 15. As the demo shows, safarileaks.com is able to detect the presence of over 20 websites, including Google Calendar, YouTube , Twitter and Bloomberg. open in other tabs or windows. With more work, a real-world attacker could likely find hundreds or thousands of detectable sites or web pages.
When users are logged into one of these sites, the vulnerability can be exploited to reveal the visit and, in many cases, real-time credentials. When connected to a Google account opened elsewhere, for example, the demo site can obtain the internal identifier that Google uses to identify each account. These identifiers can generally be used to recognize the account holder.
The leak is the result of how the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers. It contains large amounts of data and works by creating databases when a new site is visited. Tabs or windows running in the background can continually query the IndexedDB API for available databases. This allows a site to learn in real time which other websites a user is visiting.
Websites can also open any website in an iframe or popup to trigger an IndexedDB-based leak for that specific site. By embedding the iframe or popup in its HTML, a site can open another site to cause an IndexedDB-based leak for the site.
“Each time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session,” said writes Bajanik. “Windows and tabs generally share the same session unless you switch to a different profile, in Chrome for example, or open a private window.”
Bajanik said he notified Apple of the vulnerability in late November, and at press time it had still not been patched in either Safari or the company’s mobile operating systems. Apple representatives did not respond to an email asking if or when it would release a fix. On Monday, Apple engineers had merged potential fixes and marked Bajanik’s report as resolved. End users, however, will not be protected until the Webkit patch is rolled into Safari 15 and iOS and iPadOS 15.
For now, users should beware when using desktop Safari or any browser running on iOS or iPadOS. It’s not particularly useful for iPhone or iPad users, and in many cases there’s little to no consequence to the browsing activities that are leaked. In other situations, however, the specific sites visited and the order in which they were viewed can tell a lot.
“The only real protection is to update your browser or operating system after the issue is fixed by Apple,” Bajanik wrote. “In the meantime, we hope this article will raise awareness of this issue.”