Security News > 2022 > January > New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking

A software bug introduced in Apple Safari 15's implementation of the IndexedDB API could be abused by a malicious website to track users' online activity in the web browser and worse, even reveal their identity.

That's not the case with how Safari handles the IndexedDB API in Safari across iOS, iPadOS, and macOS. "In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy," Martin Bajanik said in a write-up.

"Every time a website interacts with a database, a new database with the same name is created in all other active frames, tabs, and windows within the same browser session."

A consequence of this privacy violation is that it allows websites to learn what other websites a user is visiting in different tabs or windows, not to mention precisely identify users on Google services services like YouTube and Google Calendar as these websites create IndexedDB databases that include the authenticated Google User IDs, which is an internal identifier that uniquely identifies a single Google account.

To make matters worse, the leakage also affects Private Browsing mode in Safari 15 should a user visit multiple different websites from within the same tab in the browser window.

"On OSX, Safari users can switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines."

News URL

https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html