Tuesday27 September 2022

Apple IndexedDB API Same-Origin Flaw Exposes User Browsing Information

Reading time is around minutes.

Remember the days when browsing the internet was simple, all you had to worry about was clearing your cookies and browser history and you were fine. Ok, so it was never truly that simple, but you get my point. Now as internet surfers become more concerned about tracking and companies find new ways to follow you even more, things have gotten a bit crazy. Microsoft’s Edge wants to remember everything you do as does Chrome and Safari. This is presented as giving you a more complete and speedy internet experience, in reality it just creates a trove of data about you that can be used for good or bad.

Unfortunately for Safari users, there is a flaw in the way your browser stores your history that allows it to most definitely be used for bad. The flaw is interesting and while exposing your data also exposes just how much information Safari and the websites you visit collect. The collection of your data is performed by the IndexedDB API that is built into Sfari. This API allows the browser to gather and store data locally (client side) and it collects a lot of data. APIs have become a big target for attackers recently as developers have expanded their capabilities without adding in more security. In the case of the IndexedDB API Apple does have some built in protection against information leakage from, Cross-Site Scripting attacks. This protection is called the Same-Origin Policy.

As it would seem to indicate, Same-Origin is designed to limit/prevent the execution of scripts that access data to the same source. Recently security researchers from FingerprintJS found that in Safari 15 on MacOS, all browsers on an iOS device, and on iPadOS 15 Safari appears to be ignoring the Same-Origin policy. That means that someone can craft a script, load it form a poisoned site, and (potentially) pull data collected locally about you back. To make this even more concerning, due to the way that some sites (Google) identify you and store your data an attacker and precisely identify who the data belongs to. Since google likes to collect and correlate your browsing information using your Google User ID, it makes it easier for an attacker to correlate different accounts found on a particular device. If someone were to create a background Safari tab they could, technically, collect information about a target’s browsing habits in real time. Likewise loading a tab or popup window could expose information as well.

In keeping with proper vulnerability disclosure and notification, FingerprintJS made Apple aware of the bug and Apple has released what they think is a fix. The team at FingerprintJS, however, say that the bug is still present and user data is still exposed. For now, they recommend switching to a different browser on MacOS. For iOS and iPadOS your options are much more limited. The flaw is present on any browser installed on the device. This means that the IndexedDB API is at the OS level and not just a part of the bowser which opens up an entirely different conversation about just how much information is Apple collecting about your App and phone use.

We suspect that we will be hearing about more and more API attacks and flaws in the coming months as attackers continue to shift their focus to these exposed methods of data transfer.

Last modified on Tuesday, 18 January 2022 05:54

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.