• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new unpatched apple safari browser bug allows cross site user tracking

New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking

You are here: Home / General Cyber Security News / New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking
January 16, 2022

A software bug introduced in Apple Safari 15’s implementation of the IndexedDB API could be abused by a malicious internet site to monitor users’ on the web activity in the web browser and worse, even expose their id.

The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud defense application corporation FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021.

IndexedDB is a small-stage JavaScript application programming interface (API) provided by web browsers for managing a NoSQL databases of structured data objects such as documents and blobs.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Automatic GitHub Backups

“Like most web storage solutions, IndexedDB follows a very same-origin coverage,” Mozilla notes in its documentation of the API. “So when you can obtain saved details inside of a area, you can not access information throughout different domains.”

Similar-origin is a elementary security mechanism that guarantees that assets retrieved from distinct origins — i.e., a combination of the plan (protocol), host (area), and port amount of a URL — are isolated from just about every other. This successfully suggests that “https://illustration[.]com/” and “https://case in point[.]com/” are not of the similar origin since they use diverse techniques.

By restricting how a script loaded by just one origin can interact with a useful resource from another origin, the concept is to sequester potentially malicious scripts and cut down potential attack vectors by stopping a rogue site from jogging arbitrary JavaScript code to read through data from a different domain, say, an email provider.

But that is not the circumstance with how Safari handles the IndexedDB API in Safari throughout iOS, iPadOS, and macOS.

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the similar-origin plan,” Martin Bajanik claimed in a produce-up. “Each individual time a site interacts with a databases, a new (empty) database with the similar identify is created in all other lively frames, tabs, and windows in the similar browser session.”

Prevent Data Breaches

A consequence of this privacy violation is that it enables web sites to study what other websites a person is checking out in distinctive tabs or windows, not to point out precisely detect people on Google expert services products and services like YouTube and Google Calendar as these internet websites create IndexedDB databases that include things like the authenticated Google Consumer IDs, which is an inside identifier that uniquely identifies a solitary Google account.

“Not only does this imply that untrusted or malicious internet websites can study a user’s identity, but it also enables the linking alongside one another of multiple separate accounts used by the identical consumer,” Bajanik said.

To make issues worse, the leakage also has an effect on Personal Browsing manner in Safari 15 ought to a person go to many unique internet sites from within just the identical tab in the browser window. We have reached out to Apple for even more comment, and we’ll update the tale if we listen to back again.

“This is a large bug,” developer advocate for Google Chrome Jake Archibald tweeted. “On OSX, Safari consumers can (briefly) swap to an additional browser to stay clear of their facts leaking throughout origins. iOS people have no this sort of preference, for the reason that Apple imposes a ban on other browser engines.”

Uncovered this post interesting? Follow THN on Facebook, Twitter  and LinkedIn to read through a lot more distinctive material we publish.


Some areas of this posting are sourced from:
thehackernews.com

Previous Post: «a new destructive malware targeting ukrainian government and business entities A New Destructive Malware Targeting Ukrainian Government and Business Entities
Next Post: Ukrainian Government Officially Accuses Russia of Recent Cyberattacks ukrainian government officially accuses russia of recent cyberattacks»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
  • Top 10 Best Practices for Effective Data Protection
  • Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
  • Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
  • [Webinar] From Code to Cloud to SOC: Learn a Smarter Way to Defend Modern Applications
  • Meta to Train AI on E.U. User Data From May 27 Without Consent; Noyb Threatens Lawsuit
  • Coinbase Agents Bribed, Data of ~1% Users Leaked; $20M Extortion Attempt Fails
  • Pen Testing for Compliance Only? It’s Time to Change Your Approach
  • 5 BCDR Essentials for Effective Ransomware Defense
  • Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers

Copyright © TheCyberSecurity.News, All Rights Reserved.