“We checked the homepages of Alexa’s Top 1000 most visited websites to understand how many websites use IndexedDB and can be uniquely identified by the databases they interact with,” mentions the FingerprintJS report.
When multiple Google accounts are used, individual databases are created for each of them. Logging in on these sites creates a new IndexedDB database and appends the Google User ID on its name. To make matters worse, some database names feature user-specific identifiers (after login), so this API leak could potentially lead to user identification.Īlso Read: Check the Do Not Call Registry in Singapore before marketing to phone numbersĪccording to the analysts, identifying someone through this flaw requires logging in and visiting popular websites such as YouTube and Facebook, or services like Google Calendar, and Google Keep. Since the database names are typically unique and website-specific, this is essentially like leaking the browsing history to anyone. The problem in Safari 15īy violating the same-origin policy, the implementation of IndexedDB in Safari 15 on iOS, iPadOS, and macOS allows any website to draw the database names created in the same session. This privacy violation bug also impacts web browsers using the same browser engine in the latest iOS and iPadOS versions. However, FingerprintJS analysts discovered the IndexedDB API doesn’t follow the same-origin policy in the WebKit implementation used by Safari 15 on macOS, leading to the disclosure of sensitive data. To prevent data leaks from cross-site scripting attacks, IndexedDB follows the “same-origin” policy, controlling which resources can access each piece of data.
#Safari browser Offline#
It is typically deployed for caching web application data for offline viewing, while modules, dev tools, and browser extensions can also use it to store sensitive information. IndexedDB is a widely used browser API that is a versatile client-side storage system with no capacity limits.
There’s a problem with the implementation of the IndexedDB API in Safari’s WebKit engine, which could result in leaking browsing activity in real-time and even user identities to anyone exploiting this flaw. Safari Bug Leaks Your Google Account Info, Browsing History
0 kommentar(er)
