New, unfixed Apple Safari browser bug allows user tracking across multiple sites

A software bug introduced in the IndexedDB API implementation by Apple Safari 15 could be exploited by a malicious website to track users’ online activity in the web browser and, worse, even reveal their identity.

The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021.

IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers for managing a NoSQL database of structured data objects such as files and blobs.

Automatic GitHub backups

“Like most web storage solutions, IndexedDB follows a same-origin policy,” Mozilla notes in its API documentation. “So while you can access data stored in one domain, you cannot access data across different domains.”

The same origin is a fundamental security mechanism that ensures that resources pulled from separate origins, i.e. a combination of the scheme (protocol), host (domain), and port number of a URLs, are isolated from each other. This effectively means that “https://example[.]com/” and “https://example[.]com/” are not from the same origin because they use different schemas.

By limiting how a script loaded by one origin can interact with a resource from another origin, the idea is to sequester potentially malicious scripts and reduce potential attack vectors by preventing a malicious website from running arbitrary JavaScript code to read data from another domain, for example, an email service.

But that’s not the case with how Safari handles the IndexedDB API in Safari on iOS, iPadOS, and macOS.

“In Safari 15 on macOS and in all browsers on iOS and iPadOS 15, the IndexedDB API violates the same-origin policy,” Martin Bajanik said in a post. “Each time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

Prevent data breaches

A consequence of this breach of privacy is that it allows websites to know which other websites a user is visiting in different tabs or windows, not to mention accurately identifying users on Google services such as YouTube and Google Calendar, as these websites create IndexedDB databases that include the Google Authenticated User ID, which is an internal identifier that uniquely identifies a single Google Account.

“Not only does this imply that untrustworthy or malicious websites can learn a user’s identity, but it also allows multiple separate accounts used by the same user to be linked together,” Bajanik said.

To make matters worse, the leak also affects private browsing mode in Safari 15 if a user visits multiple different websites from the same tab in the browser window. We’ve reached out to Apple for further comment, and we’ll update the story if we hear.

“It’s a huge bug,” says Google Chrome Developer Advocate Jake Archibald tweeted. “On OSX, Safari users can (temporarily) switch to another browser to prevent their data from leaking from one origin to another. iOS users have no such choice, as Apple imposes a ban on other browser engines.”