An improper implementation of a widely used API in Apple’s WebKit is now responsible for leaking sensitive data stored in browsers using it.

As reported by the FingerprintJS researchers, Safari browser v15 using the WebKit on iOS, macOS, and iPadOS are affected by this. Also, Chrome, Brave, and other browsers using the same browser engine are affected by this. As the issue isn’t resolved by Apple yet, researchers stated few mitigation procedures until then.

Safari Bug in iOS

As browsers are the gateway to the internet, their makers use a variety of tools in their code to store information and process data that satisfy each other’s needs. And if there’s an improper setup of any of those within, can lead to serious security and privacy issues.

A component in Apple’s WebKit is now causing such unwanted issues. And it’s called IndexedDB – a browser API that’s widely used by browser makers for the client-side storage system, and for caching web application data for offline viewing.

And to prevent cross-site scripting attacks, IndexedDB uses a “same-origin” policy, a method where it only lets eligible tools and websites access particular data stored in it. While it’s promising, researchers at FingerprintJS found that the IndexedDB API doesn’t follow the same-origin policy in WebKit of Safari 15 on macOS!

And, the third-party iOS browsers (like Chrome for iOS, Brave for iOS, etc) using the same engine on iOS and iPad OS too are affected. Researchers stated that this fault can let any website access the database names created in the same session.

And there could be the leakage of user-specific identifiers in case of unique database names if created, due to different profiles. This ultimately leads to user-identifiable data, which the hackers can use for further exploitation.

To check the bug’s impact on your browser, visit this demonstration page for reproducing the API leak. Researchers have reported this issue to WebKit Bug Tracker on November 28, 2021, and is left unaddressed till now. So temporary mitigation until Apple comes with a patch is to;

  • Block the JavaScript in your browser, which should help you from leaking any of the browser data, but this also breaks the browser’s functionality in some cases.
  • And, switching to a non-WebKit-based web browser is the better option. But this alternative is only good for macOS. Users of iOS, iPadOS, and web browsers still remain affected.