Application Security , Incident & Breach Response , Next-Generation Technologies & Secure Development

Apple Safari Browser Bug Can Leak Browsing Activity

Bug Could Expose Google User ID to Other Sites
Apple Safari Browser Bug Can Leak Browsing Activity
Apple's store in Beijing's Sanlitun district (Photo: Apple)

Researchers have uncovered a serious bug in Apple Safari 15 browser that can leak browsing activity and reveal personal information attached to a Google account, according to a report from FingerprintJS, a browser fingerprinting and fraud detection service by 9to5Mac.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The vulnerability arises from an issue with Apple's implementation of IndexedDB, a browser API for client-side storage designed to hold significant amounts of data. IndexedDB is supported by all major browsers.

"Like most modern web browser technologies, IndexedDB is following same-origin policy," says Martin Bajanik, software engineer, core API, R&D and security at FingerprintJS. "The same-origin policy is a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins. An origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it."

A spokesperson for Apple was not immediately available to confirm the report.

IndexedDB Leaks

Bajanik says that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy.

"Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window," Bajanik says.

The database names leaking across different origins is a privacy violation that makes arbitrary websites learn what websites the user visits in different tabs or windows, which is possible because database names are unique and website-specific, Bajanik says.

The FingerprintJS team also observed websites using unique user-specific identifiers in database names, which means that authenticated users can be uniquely and precisely identified.

Websites such as YouTube, Google Calendar and Google Keep created databases that include the authenticated Google User ID and if the user is logged into multiple accounts, databases are created for all these accounts, the researchers say.

They say that the Google User ID is an internal identifier generated by Google, which identifies a single Google account and can be used with Google APIs to fetch personal information of the account owner.

"The information exposed by these APIs is controlled by many factors. In general, at minimum, the user's profile picture is typically available. Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user," Bajanik says.

He warns that these leaks do not require any specific user action, and a tab or window that runs in the background continually queries the IndexedDB API for available databases and can learn what other websites a user visits in real time.

"Alternatively, websites can open any website in an iframe or pop-up window in order to trigger an IndexedDB-based leak for that specific site," Bajanik says.

Serious Flaw

Peter Draper, director of EMEA at Gurucul, says the flaw is especially worrisome because it requires no specific user action in order to allow a webpage to collect data regarding the user, the sites they have visited, and possible ID/credential data.

"The fact that the information can be gathered across tabs in the browser raises the stakes. How many people, especially on their iPhones, actively close down each tab when they have finished using it? I would bet there are many people with a multitude of tabs open that may have made additional information available to this issue," Draper says.

Researchers say they reported the leak to the WebKit Bug Tracker on November 28, 2021, as bug 233548.

Draper says the flaw affects Safari on Mac, iPhone and iPad, which makes a huge base of users available to the bad actors who would exploit this. There is little that users can do to mitigate this issue, he says, until a fix is forthcoming from Apple.

"Having been reported initially in November of 2021, just imagine the amount of data that could have been made available during the last six to eight weeks. Vendors really need to do more to ensure security by design is high on their priority list when developing software," Draper says.

Websites Affected

The FingerprintJS report found around 30 websites that interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate. And they suspect this number to be significantly higher in real-world scenarios.

"We also saw a pattern where indexed databases named as universally unique identifiers (UUIDs) are being created by sub resources, specifically ad networks," Bajanik says. He says that in some cases, loading of these resources seems to be blocked by Safari’s tracking prevention features, and that prevents the database names from leaking. "These leaks will also be prevented if the resources are blocked by other means, for example when using adblocker extensions or blocking all JavaScript execution."

The report says that this bug also affects private mode in Safari 15. If a user visits multiple different websites within the same tab, it says, all the databases these websites interact with are leaked to all subsequently visited websites.

"Note that in other WebKit-based browsers, for example Brave or Google Chrome on iOS, private tabs share the same browser session in the same way as in nonprivate mode," Bajanik says.

Tom Davison, international technical director at Lookout, says that the scope of this vulnerability covers any Mac device running Safari 15 or any browser on any device running iOS15.

"It is not clear whether the flaw is limited to browsers on devices running iOS or whether it can also extend to webviews used within mobile apps. In any case, limiting exposure to potential data leaks or privacy violations will be of the utmost importance to enterprise users. Any fix for the issue will need to come in the form of a Safari update for MacOS and an iOS update for iPhone/iPad," Davison says.

The researchers developed a demo page that demonstrates how a website can learn the Google account identity of any visitor. They say the demo has detected the presence of over 20 websites in other browser tabs or windows, including Google Calendar, YouTube, Twitter and Bloomberg.

How IndexedDB in Safari 15 leaks browsing activity in real time (Source: YouTube)

Davison says this poses a challenge to enterprises who struggle to identify and patch vulnerable devices, especially in light of the ever-increasing number of BYOD devices being used to access corporate data. To limit exposure in such scenarios, he says, enterprises should ensure they have full visibility across all devices accessing corporate data and are able to dynamically control access permissions. Until patching can occur, this will close open flaws without data leaks or privacy compromise, he says.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.