EletiofeA Bug in iOS 15 Is Leaking User Browsing...

A Bug in iOS 15 Is Leaking User Browsing Activity in Real Time

-

- Advertisment -

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

Obvious Privacy Violation

Since September’s release of Safari 15 and iOS and iPadOS 15, this policy has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

“The fact that database names leak across different origins is an obvious privacy violation,” Martin Bajanik, a researcher at security firm FingerprintJS, wrote. He continued:

It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.

Attacks work on Macs running Safari 15 and on any browser running on iOS or iPadOS 15. As the demo shows, safarileaks.com is able to detect the presence of more than 20 websites—Google Calendar, YouTube, Twitter, and Bloomberg among them—open in other tabs or windows. With more work, a real-world attacker could likely find hundreds or thousands of sites or webpages that can be detected.

When users are logged in to one of these sites, the vulnerability can be abused to reveal the visit and, in many cases, identifying information in real time. When logged in to a Google account open elsewhere, for instance, the demo site can obtain the internal identifier Google uses to identify each account. Those identifiers can usually be used to recognize the account holder.

Raising Awareness

The leak is the result of the way the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers. It holds large amounts of data and works by creating databases when a new site is visited. Tabs or windows that run in the background can continually query the IndexedDB API for available databases. This allows one site to learn in real time what other websites a user is visiting.

Websites can also open any website in an iframe or pop-up window in order to trigger an IndexedDB-based leak for that specific site. By embedding the iframe or popup into its HTML code, a site can open another site in order to cause an IndexedDB-based leak for the site.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” Bajanik wrote. “Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.”

Latest news

Imo Govt Seals Three Hotels, Threatens To Punish Non-complying Land Users

Three hotels have been sealed up by officials of the Imo State Geographic Information Service (IGIS), over non-compliance with...

APC Presidential Primary: Osinbajo Storms Lagos, Reveals How He Plans To Defeat Tinubu, Others

Nigeria's Vice President, Yemi Osinbajo has revealed how he plans to emerge as the Presidential candidate of the All...

Check out StarTimes 2022 price and never-to-miss shows

A glance at this article will get you thinking if you are currently spending so much on pay-TV entertainment....

CKay makes bold claim about his forth coming album

On the international scene, CKay already made history with his global dominating single 'Love Nwantiti' and the superstar hopes...
- Advertisement -

A Bored Ape Lawsuit Won’t Set the NFT Precedent Seth Green Wants

The first thing you should probably do if you find yourself in Seth Green’s position is not tweet about...

The ‘Form’ Element Created the Modern Web. Was It a Big Mistake?

The web was born to publish documents—in particular, physics papers from CERN, the great laboratory where Tim Berners-Lee, the...

Must read

Imo Govt Seals Three Hotels, Threatens To Punish Non-complying Land Users

Three hotels have been sealed up by officials of...

APC Presidential Primary: Osinbajo Storms Lagos, Reveals How He Plans To Defeat Tinubu, Others

Nigeria's Vice President, Yemi Osinbajo has revealed how he...
- Advertisement -

You might also likeRELATED
Recommended to you