An improper implementation of a widely used API in Appleโs WebKit is now responsible for leaking sensitive data stored in browsers using it.
As reported by the FingerprintJS researchers, Safari browser v15 using the WebKit on iOS, macOS, and iPadOS are affected by this. Also, Chrome, Brave, and other browsers using the same browser engine are affected by this. As the issue isnโt resolved by Apple yet, researchers stated few mitigation procedures until then.
Safari Bug in iOS
As browsers are the gateway to the internet, their makers use a variety of tools in their code to store information and process data that satisfy each otherโs needs. And if thereโs an improper setup of any of those within, can lead to serious security and privacy issues.
A component in Appleโs WebKit is now causing such unwanted issues. And itโs called IndexedDB โ a browser API thatโs widely used by browser makers for the client-side storage system, and for caching web application data for offline viewing.
And to prevent cross-site scripting attacks, IndexedDB uses a โsame-originโ policy, a method where it only lets eligible tools and websites access particular data stored in it. While itโs promising, researchers at FingerprintJS found that the IndexedDB API doesnโt follow the same-origin policy in WebKit of Safari 15 on macOS!
And, the third-party iOS browsers (like Chrome for iOS, Brave for iOS, etc) using the same engine on iOS and iPad OS too are affected. Researchers stated that this fault can let any website access the database names created in the same session.
And there could be the leakage of user-specific identifiers in case of unique database names if created, due to different profiles. This ultimately leads to user-identifiable data, which the hackers can use for further exploitation.
To check the bugโs impact on your browser, visit this demonstration page for reproducing the API leak. Researchers have reported this issue to WebKit Bug Tracker on November 28, 2021, and is left unaddressed till now. So temporary mitigation until Apple comes with a patch is to;
- Block the JavaScript in your browser, which should help you from leaking any of the browser data, but this also breaks the browserโs functionality in some cases.
- And, switching to a non-WebKit-based web browser is the better option. But this alternative is only good for macOS. Users of iOS, iPadOS, and web browsers still remain affected.
