Exploiting IndexedDB API information leaks in Safari 15

pablozi

Level 27
Thread author
Verified
Helper
Top poster
Well-known
Jun 14, 2011
1,653
In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window. For clarity, we will refer to the newly created databases as “cross-origin-duplicated databases” for the remainder of the article.


The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified. Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.
 
Last edited:

silversurfer

Level 84
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,565
For now, the only way to protect yourself from data leakage and tracking is to block all JavaScript by default but that will likely hamper your browsing experience.
People using macOS can also switch to a different browser for the time being but this workaround will unfortunately not work for iOS users since all browsers on Apple's mobile OS are based on WebKit, which means that they are also affected.
 

CyberTech

Level 37
Verified
Top poster
Well-known
Nov 10, 2017
2,604
Apple has since prepared a fix for the bug, according to a WebKit commit on GitHub, but the fix will not be available to users until Apple releases macOS Monterey, iOS 15, and iPadOS 15 updates with an updated version of Safari. Apple declined to comment when asked to provide a timeframe for a fix being released to the public.

The bug allows any website that uses IndexedDB for client-side data storage to access the names of IndexedDB databases generated by other websites during a user's browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often specific to each website, and sometimes the database names contain user-specific identifiers that could reveal a user's identity.

FingerprintJS has a live demo of the bug, which affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for macOS and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome and Edge on iOS 15 and iPadOS 15, as Apple requires all iPhone and iPad browsers to use WebKit.

The bug does not affect Safari 14 for macOS or any browser on iOS 14 and iPadOS 14, according to FingerprintJS, which has a blog post with more details.
 

pablozi

Level 27
Thread author
Verified
Helper
Top poster
Well-known
Jun 14, 2011
1,653
The fix for this dangerous exploit may arrive as early as this week. After just two beta builds, Apple rolled out its Release Candidates for iOS 15.3. At the same time, the Cupertino-based company issued the macOS Monterey 12.2 Release Candidate.