According to browser fingerprinting and fraud detection company FingerprintJS, a flaw in Apple’s implementation of the IndexedDB API in Safari 15 allows websites to monitor users’ activities on other sites and potentially disclose their identities.
IndexedDB is a low-level browser API for storing client data that follows the same-origin policy to prevent the interaction of resources with different origins. All major browsers support it. Scripts with multiple origins should not be allowed to interact with databases with different origins since indexed databases are connected with their respective origin.
However, FingerprintJS observed that the IndexedDB API violates the same-origin policy in Safari 15 on macOS and browsers operating on iOS and iPadOS 15 devices.
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” FingerprintJS clarifies.
Because database names are often website-specific, the availability of these “cross-origin-duplicated databases” implies that random websites can discover what other sites the user views in different tabs or windows. In some circumstances, unique user-specific IDs are included in the database name, allowing authorized users to be identified.
For example, Google Calendar, Google Keep, and YouTube build databases storing the Google ID of authenticated users. For each account that a user is logged into, a database is established. The Google User ID may be used to identify a specific Google account and can be used with Google APIs to get information about the account owner, including, at a minimum, the user’s profile image.
These data breaches don’t involve any user engagement since websites accessing the IndexedDB API may learn about other sites in real-time. If the user is connected to their Google account in the same browser, FingerprintJS has produced a demo website that reveals how the user’s identity is disclosed when visited in a vulnerable browser.