Recent findings from FingerprintJS, a browser fingerprinting and fraud detection service, have revealed that a software bug in Safari 15 can leak your identity and allow any website to track your Internet activity. The bug is related to the Apple browser’s implementation of an application programming interface (API) called IndexedDB, which is designed to store data in your browser.
Read on to learn more about the API and how exactly it’s leaking this data.
What is IndexedDB API?
Supported and used by many major browsers, IndexedDB API provides client-side (browser) storage that can store significant amounts of data. But what does that mean in practice? Practically speaking, it’s used to save data from websites you visit so that they load faster when you return. It does this by creating a database to store the data for each website you visit. These databases are supposed to be private to each individual site, so that one domain cannot access the database of another. In short, a domain should only access the data that it generated.
This practice is known as same-origin policy, an important concept in web application security. It ensures that if you have opened several browser tabs where you’re logged into personal accounts, if you happen to open another tab with a malicious web page, it won’t be able to view or access the data contained in the other tabs.
The problem with the implementation of IndexedDB API in Safari 15 is that it violates same-origin policy.
How the bug leaks your data
According to FingerprintJS, during a browser session in Safari 15, IndexedDB API actually creates a new (empty) database with the same name in all other active frames, tabs, and windows. This is a problem because it not only allows any active websites you have open to see the other websites you visit, but it can also reveal user-specific identifiers on websites that require users to be authenticated.
A major example is any site that uses Google User ID, such as YouTube, Gmail, or Google Calendar. All of these sites create databases that include the user’s Google User ID, and databases are created for every account the user is logged into. If malicious users have access to this ID, they could potentially use it to reveal a great deal of personal information about the account owner, as well as other online accounts linked to their Google User ID.
For an example of this kind of data leak in action, check out this video.
What can you do about it?
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.