This flaw was discovered in the WebKit browser engine, which is used by Safari. The issue affects Safari 15 on macOS, as well as all browsers running on iOS and iPadOS 15, because Apple’s mobile operating systems require all web browsers to use WebKit.
Details of the Vulnerability
The vulnerability centers around WebKit’s implementation of the Indexed Database API (IndexedDB). IndexedDB is a JavaScript-based API commonly utilized by web applications to store large amounts of data, such as user profiles, session data, and site settings. It allows browsers to create a database of objects for efficient storage and retrieval of information while interacting with web applications.
Under normal circumstances, IndexedDB adheres to the “same-origin” policy. This principle restricts data from being accessed by web pages belonging to different domains. For instance, information saved by one website should not be accessible to another website. The same-origin policy is essential for maintaining user privacy, as it prevents websites from accessing data that could reveal sensitive information, such as a user’s identity or browsing behavior on other sites.
However, FingerprintJS, a browser fingerprinting service, discovered that Safari’s IndexedDB implementation did not fully respect the same-origin policy. As a result, the bug allowed websites to detect the presence of databases generated by other websites. In some cases, this flaw even enabled websites to obtain details about the content stored in these databases, including user-specific information like unique IDs. For example, if a user was logged into a Google account, the site could expose a Google User ID, which could then be used to identify that individual across various sites.
Implications for User Privacy
This vulnerability poses a serious risk to user privacy, as it enables cross-site tracking of browsing activities. Websites can identify the specific domains a user has interacted with based on the names of their stored databases. If an attacker can map a user’s browsing habits across multiple sites, they can create a detailed profile of the user’s online behavior, preferences, and potentially sensitive interests.
In addition to tracking browsing habits, the exposure of unique identifiers increases the risk of user profiling. For instance, if a website accesses a Google User ID via the IndexedDB bug, it could link the user’s identity to other personal information, even if the user was browsing in private or incognito mode.
Safari and WebKit’s Role in the Issue
The impact of this vulnerability extends beyond Safari. On iOS and iPadOS devices, Apple mandates that all web browsers, regardless of their brand or origin, use WebKit as their underlying engine. This means that browsers such as Chrome and Firefox on iOS are also affected by the same WebKit vulnerability, putting a wide range of users at risk. The flaw is present on all devices running iOS and iPadOS 15, making it a widespread issue.
Disclosure and Response
The IndexedDB flaw was reported to Apple by FingerprintJS in late 2021. Following the disclosure, Apple worked on a fix and addressed the issue with patches released in early 2022. This update was part of the company’s continuous effort to enhance the security of its products and maintain user privacy.
Users were strongly encouraged to update their devices as soon as the fix became available to mitigate the risk posed by the vulnerability. The situation highlighted the importance of staying current with software updates, as vulnerabilities can emerge even in well-maintained software ecosystems.
Lessons Learned and Ongoing Security Efforts
The Safari vulnerability underlined the complexities involved in web security, especially when dealing with browser engines that interact with diverse web standards. The incident prompted renewed attention toward the security of browser APIs like IndexedDB and how they are implemented across different web browsers.
It also served as a reminder of the importance of the same-origin policy in protecting user privacy and the challenges developers face in enforcing this policy without introducing unintended side effects. Web developers, browser engineers, and security researchers continue to collaborate on refining web standards to prevent similar issues in the future.
In conclusion, while Apple promptly responded to the IndexedDB flaw by releasing patches, the Safari vulnerability served as a stark reminder of the evolving nature of web security threats. Users are encouraged to remain vigilant about applying software updates and be aware of potential risks associated with web browsing.