Security News > 2022 > January > Serious Security: Apple Safari leaks private data via database API – what you need to know

Researchers at browser identification company FingerprintJS recently found and disclosed a fascinating data leakage bug in Apple's web browser software.

At first telling, the bug sounds both undramatic and unimportant: although it allows private data to leak between separate browser tabs that contain content from unrelated websites, the amount of data that leaks is minuscule.

WebKit, like all other modern browser engines, lets websites set and store what's called stateful data - information that's carried from one visit to a site to the next, traditionally via web cookies.

As you can imagine, the sort of data stored in cookies and web storage isn't suitable for disclosing to anyone, given that it often identifies you loosely, and frequently identifies you exactly - for example, cookies may grant access to private data in an online account, such as your name, address, contact details, credit card data, as well as the password reset page for that account.

We now have THREE types of local storage: cookies, which are great for simple settings such as pagestyle=dark; web storage, fine for larger-sized chunks of data such as configuration settings and modestly-sized documents; and a local database system known as IndexedDB, when you need to keep large amounts of data and to access it efficiently.

Clearing web data typically means you need to need to login and readjust preferences for every website you've used lately.

News URL

https://nakedsecurity.sophos.com/2022/01/18/serious-security-apple-safari-leaks-private-data-via-database-api-what-you-need-to-know/