A bug risks leaking your browsing history on iOS and macOS

Bad news for Internet users who use Safari 15 on MacOS or their browsers on iOS and iPadOS: a bug can say too much about your web browsing.

Chrome or Firefox is far from the only browser that encounters bugs or vulnerabilities. Safari occasionally encounters errors or bugs. Evidence: A computer engineer who specializes in security has published on January 15 elements of the FingerprintJS site that show how Apple’s web browser can leak information.

A not-so-siloed database

The problem here is with an API called IndexedDB. An API is a programming interface that allows software to retrieve data from other applications and is required for a variety of tasks within the limits of the API that allows it. IndexedDB is not specified for Safari. We find this API in Chrome and Firefox, for example.

In this case, IndexedDB acts as a local database. Embedded in the browser, it stores a large amount of structured data next to the user, we read in the technical documentation of the Mozilla Foundation, which publishes Firefox. IndexedDB is great for storing large amounts of structured data.

Safari, Apple’s in-house browser. // // Source: iphonedigital

In principle, the rule of the IndexedDB API is that it respects the so-called “same-origin principle”, which can be translated as the same-source principle. This is limited How a document or script is loaded from one source (e.g. a website, editor’s note) can communicate with another source loaded from another source (another website, editor’s note) », Details Mozilla.

Broadly speaking, this is to prevent sites from interacting with each other through IndexedDB or reading the information stored in the database when it comes from another domain. Simply put, YouTube only has access to YouTube, Facebook to Facebook and Google to Google. If the protocol, port and host are the same, the source of the two pages is the same.

The problem highlighted by the FingerprintJS site is related to the way Safari uses the IndexedDB API, the web rendering HTML rendering engine used to display Apple pages. An exhibition video states that the database was duplicated in every tab and in every window during the same browsing session in Safari.

However, FingerprintJS observes that it is possible for third party sites to detect whether a site has recently been visited during a browsing session. Additional problem: If an intern identifies itself on a specific site, for example YouTube, the leak extends to a unique identifier that Google assigns to each Internet user, as Google adds this sequence of characters to the database name.

A weakness to be able to identify someone in a particular situation

From this code, FingerprintJS continues, then it is possible to drag a thread to bring the user avatar through the People API and then use it to do a reverse search to find out who owns the image. Clearly, a person’s identity can be found if this image is linked to a person, somewhere on the web – such as Facebook or LinkedIn.

Internet users using the Safari 15 version on MacOS are affected, but browsers on iOS 15 and iPadOS 15 as a whole are also affected. Because? Apple has set a rule that you must use its rendering engine, WebKit, and not designed by Mozilla (Gecko for Firefox) or Google (Blink for Chrome and a few other browsers).

The problem identified by FingerprintJS seems to be quite annoying for Internet users considering the risk of “de-anonymity” included in the bug, but the large-scale risk is uncertain: failure requires several steps, but also depends on the length of the browsing session, the type of site visited. And what can be done with the data obtained.

Apple Safari
The problem mostly affects Safari, but also affects browsers that rely on WebKit. // Source: Apple

This doesn’t just mean that unreliable or malicious sites can learn a user’s identity, it allows multiple individual accounts linked by the same user to be linked together. “Judging by the site. If you are on Safari 15 under MacOS or go through iOS and iPadOS, a display tool has been put online to illustrate the problem.

Private browsing reduces the risk by limiting the problem to everything that happens on the same tab, not within a tab or window. ” If you visit different websites on the same tab, the databases that these websites interact with are redirected to all subsequently visited websites. “, Warns the site.

How to reduce the risk? If private browsing partially reduces the exposure to the problem, migrating to another browser in macOS may be a good idea – but such a switch is difficult due to the force of the habit. On iOS and iPadOS, it will be more difficult if Apple’s rules are given with WebKit. Apple’s patch remains the best track in this file.

The critical nature of the bug does not appear to have been felt by Apple in any way, as the site reports that the American company has not yet addressed it, although it was reported at the end of November 2021. FingerprintJS hopes, however, that its results will be used to address media coverage problems: because even if the danger is not immediate, there is no reason to abandon the implementation of IndexedDB in this situation.

Leave a Comment