Apple’s Safari browser has a vulnerability that is said to be leaking users’ browsing activity and even allowing bad actors to know their identity. The vulnerability affects the latest macOS, iOS, and iPadOS users. It comes due to a bug that was introduced in the implementation of IndexedDB, which works as an application programming interface (API) to store structured data. MacOS users have a workaround, where they can use a third-party web browser, but iPhone and iPad users don’t have that option. The vulnerability was first hinted in a report from 9to5Mac, which says that fraud detection firm FingerprintJS has discovered the vulnerability impacting the latest version of Safari.
The vulnerability in IndexedDB, has been found in Safari 15. It follows the same origin policy that is meant to restrict documents and scripts loaded from one origin to be interacted with resources from other origins. Researchers from FingerprintJS have found that Apple’s implementation of IndexedDB violates this policy, resulting in a loophole that can be exploited by an attacker to gain access to users’ activity on their web browser or identity attached to their Google account. “Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” the researchers were quoted as saying.
This vulnerability allows hackers to know what websites they are visiting in different tabs or windows. It also exposes their Google ID to websites, even if a user has not logged in using their Google account.
The researchers at FingerprintJS have also released a proof-of-concept to demonstrate the vulnerability, which users can use on their Mac, iPhone, or iPad computers. It currently detects Alibaba, Instagram, Twitter, and Xbox to tell how the database can be leaked from one website to the other.
For MacOS users, this vulnerability can be avoided if they switch to a third-party browser like Google Chrome or Mozilla Firefox, but that option is not available for iPad and iPhone users. This is mainly because Apple does not allow iOS devices to use a third-party browser engine. Apple has not commented on the issue as of now.
Read all the Latest News, Breaking News and Coronavirus News here.