Researchers have discovered a bug in Apple’s Safari browser that allows websites to track a user’s browsing activities on other sites.
The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user’s unique identifier for certain websites to other sites they visit.
When implemented correctly, IndexedDB follows the co-origin principle. This ensures that information stored from a webpage is only available to webpages in the same domain. It prevents overly curious web pages from accessing another domain’s stored information, which could include sensitive user or session data.
FingerprintJS found that WebKit’s IndexedDB implementation violates the same-origin principle, instead making stored information available to websites in other domains.
FingerprintJS called the bug a privacy breach. “It allows arbitrary websites to learn which websites the user visits in different tabs or windows,” the company said in its analysis of the bug. “This is possible because database names are usually unique and website-specific.”
Bridging the DevSecOps Gap: Spotlight on Key Relationships
The importance of the relationship between security and development
The company has found some websites using user-specific IndexedDB data, such as ID numbers in their IndexedDB database names, which makes it easy for any other website to find the ID of a user on other sites. Using this identifier to search user assets (such as profile pictures) could lead to the identification of the user, the company warned. Google websites store ID numbers this way, allowing other sites to harvest Google IDs using the bug.
FingerprintJS said it notified Apple of this bug on November 28, but Apple did not fix it. Apple engineers started creating a fix on Sunday, February 17, the day FingerprintJS released the bug details.
How Virtual Desktop Infrastructure Enables Digital Transformation
Challenges and Benefits of VDI
Okta’s Digital Trust Index
Exploring the human side of trust
Optimizing Workload Placement in Your Hybrid Cloud
Deliver increased IT agility with the cloud
Modernize endpoint protection and leave legacy challenges behind
The risk of keeping your old endpoint security tools