since the past For four months, Apple’s iOS and iPadOS devices and Safari browser violated one of the most sacred security policies on the Internet.The result of the violation is Vulnerability Real-time disclosure of user identities and browsing activity.
This Same Origin Policy is an underlying security mechanism that prohibits documents, scripts, or other content loaded from one origin (that is, the protocol, domain name, and port of a given web page or application) from interacting with resources from other origins.Without this strategy, malicious websites (such as badguy.example.com) can access login credentials Google Or another trusted site, when it’s open in a different browser window or tab.
Obvious invasion of privacy
Safari 15 and iOS and iPadOS 15, this policy has been completely broken, Research published late last week established.as demo site The graph shows that it is trivial for a site to know the domains of sites open in other tabs or windows and the user IDs and other identifying information associated with other sites.
Martin Bajanik, a researcher at the security firm FingerprintJS, wrote: “The fact that database names are leaked across different sources is a clear violation of privacy.” He continued:
It allows any website to know which websites users visit in different tabs or windows. This is possible because database names are usually unique and site-specific. Additionally, we observed that in some cases, websites used unique user-specific identifiers in database names. This means that authenticated users can be uniquely and accurately identified.
attack at work Max Running Safari 15 and any browser running iOS or iPadOS 15. As shown in the demo, safarileaks.com was able to detect the presence of more than 20 websites — including Google Calendar, YouTube, Twitter, and Bloomberg — open or windows in other tabs. With a little more work, a real-world attacker might discover hundreds or thousands of websites or web pages that can be detected.
When a user logs into one of these sites, the vulnerability can be abused to reveal access and, in many cases, identify information in real time. For example, when logging into a Google account that is open elsewhere, the demo site can obtain an internal identifier that Google uses to identify each account. These identifiers can often be used to identify account holders.
increase awareness
The leak is a result of the way the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers. It holds a lot of data and works by creating a database when visiting a new site. A tab or window running in the background can continuously query the IndexedDB API for available databases. This allows a site to know in real time what other sites users are visiting.
Websites can also open any website in an iframe or popup to trigger an IndexedDB-based leak for that particular website. By embedding an iframe or popup into its HTML code, a site can open another site, causing that site to have an IndexedDB-based leak.
“Every time a website interacts with the database, a new (empty) database with the same name is created in all other active frames, tabs, and windows in the same browser session,” Bajanik wrote. “Windows and tabs usually share the same session, unless you switch to a different profile, such as in Chrome, or open a private window.”
