Safari Browser Bug Allows Cross-Site User Tracking

Safari Brower Bugs allows cross site user tracking

VTA-00403 – Safari Browser Bug Allows Cross-Site User Tracking

Recently, a software bug introduced in Apple Safari 15’s implementation of the IndexedDB API could be abused by a malicious website to track user’s online activity in the web browser and even reveal their identity.

The vulnerability dubbed indexedDB Leaks, IndexedDB is a low-level JavaScript Application Programming Interface (API) provided by web browsers for managing a NoSQL database of structured data objects such as files. Like most web storage solutions, IndexedDB follows a same-origin policy, so while you can access stored data within a domain, you cannot access data across different domains.

But that’s not the case with how Safari handles the IndexedDB API in Safari across iOS, iPadOS and MacOS. In Safari 15 on macOS, and all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy as every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session. It allows websites to learn what other websites a user is visiting in different tabs or windows. To make matters worse, the bug also affects the Private Browsing mode in Safari 15.


Attack Surfaces:
Web Browser

Discovery, Impact

IndexedDB Leaks, same-origin policy

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Security Controls, Software Manipulation

SuperPRO’s Threat Countermeasures Procedures:
1. Switching to a non-WebKit-based web browser but it only applies to macOS.
2. Enable auto-updates to ensure software/program is always up to date.

Are your Endpoints secured? Scan your Endpoints now:
1. Register account on Open Threat Exchange (OTX).
2. Download the OTX Endpoint Security.
3. Subscribe to Provintell-Lab’s OTX pulses. 
4. Scan your endpoint for the presence of the IOCs. It’s FREE!

Contributed by: Jyao

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>