IndexedDB is an API that stores data in your browser. This API follows the same origin policy, which means that one origin cannot interact with data collected from other origins. The flaw targets the IndexedDB API vulnerability and allows other websites to access the IndexedDB databases generated by other websites during a user’s browser session.
This error can allow websites to track your Google account as well. Google stores an IndexedDB database on Safari under the name of the user’s authenticated Google user ID. This identifier can be used with Google APIs to retrieve personal information about the user, e.g. B. a profile picture. However, since the IndexedDB is stored under the Google user ID name, it can be used to reveal a lot of information related to the user’s Google account.
This bug affects Safari 15 on all versions of iOS 15, macOS Monterey, and iPadOS 15 as they all use Apple’s open-source WebKit engine. Even third-party web browsers on iOS including Chrome and Microsoft Edge are vulnerable to the bug as Apple requires all browsers to use the WebKit website rendering engine on iPhone and iPad.
FingerprintJS also shared a live demo of the bug, which you can check out below. You can try the bug yourself with this live demo.
The error does not require any user input or interaction for a website to access the IndexedDB database generated by other websites. As FingerprintJS’s blog post notes, “A tab or window running in the background and continuously polling the IndexedDB API for available databases can learn in real-time what other websites a user visits.” Alternatively, sites can each site in an iframe or open pop-up windows to trigger an IndexedDB-based leak for that specific site.”
The bug needs to be patched by Apple. Even using the “private window” doesn’t help. If you are running Safari 14, which is an earlier version of iOS or macOS, the error will not affect you. And as the bug has been highlighted by a number of users, publications and cyberactivists, a fix should be coming soon – although Apple has yet to comment on the bug.
If you are a Safari 15 user on macOS, you should temporarily switch to another browser, e.g. B. Google Chrome or Microsoft Edge. Switching web browsers on iOS and iPadOS does not help as all web browsers use the WebKit rendering engine, which is affected by the vulnerability.
Over: MacRumors, The Verge