Just a few days after Apple fixed a flaw that allows a hacker to put your iPhone into an endless cycle that crashes repeatedly, FingerprintJS has uncovered the Safari vulnerability that could let your personal information and internet activities information to an open web.

The issue is from it’s in the IndexedDB API that is utilized to store client-side large quantities of structured data in the words of Mozilla. According to FingerprintJS describes, since IndexedDB is an API with a low-level that is that is used by every major browser, many programmers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”

In this way the version used by Safari’s IndexedDB does not comply with the same-origin security feature that limits how scripts or files that are loaded from one source can communicate with resources from different sources, as per FingerprintJS. Therefore, any website could be able to spy on other websites that users visit through different tabs or windows.

Since certain websites utilize unique identifiers for users in the database name, FingerprintJS states that users who are authenticated are “uniquely and precisely identified” by websites like YouTube, Google Calendar, and Google Keep. Since you’ll be logged into these sites with the Google ID, the databases associated with that account might be accessed, including your personal data. FingerprintJS has discovered other sites that are susceptible to this issue which include Twitter as well as Bloomberg.

The bug can be seen in the action through a demo developed using FingerprintJS. The only known remedy is to switch browsers on macOS. iOS or iPadOS users are limited in their alternatives due to apple’s treatment of the browser engine, however FingerprintJS mentions that users may disable any JavaScript by default, and only allow it on trusted websites. You can either sit and wait for an update be released. Apple is currently working on iOS 15.3 and macOS 12.2 for release, but it’s not clear whether the update will contain the Safari fix.

Leave a Reply

Your email address will not be published. Required fields are marked *