[NTD, Beijing, January 17, 2022]Information security professionals pointed out that a serious vulnerability has appeared in the new version of Safari, which may allow users’ browsing records and personal information to be leaked.
Last Friday (January 14), Fingerprintjs, a browser fingerprinting and fraud detection service, said in a blog post (link) that a serious vulnerability has occurred in the new version of Safari (Safari 15). The vulnerability originates from the browser typesetting engine “WebKit” used by Safari.
The article said that in the new version of WebKit, the IndexedDB API had a bug that did not comply with the “Same Origin Policy” commonly used in website security.
The “Same Origin Policy” means that only the website that generates the data can access it. For example, if a user opens an email account in one tab, and then opens a malicious web page in another tab, the Same Origin Policy will prevent the malicious web page from viewing and reading your email.
According to Fingerprintjs, IndexedDB is a browser API for client-side storage designed to hold large amounts of data.
This bug allows any site using IndexedDB to log into other client databases using IndexedDB sites. Under normal circumstances, these data should be independent of each other.
For example, through this vulnerability, when a user moves from a Google page to another web page to browse, the web page can access Google’s ID information, and then collect more information to determine the user’s identity.
Through this security loophole, even if the “private mode” of Safari 15 is turned on, it cannot completely prevent data leakage, and can only prevent two pages from reading each other. If you browse two websites in succession on the same tab, the data may also be leaked.
All browsers on iPhone, iPad suffer
The vulnerability affects Safari 15 on macOS, and all browsers on iOS and iPadOS 15. Because according to Apple’s App Store guidelines, all browsers on the iPhone or iPad need to use the “WebKit” engine.
Currently, it is necessary to wait for an Apple software update to resolve the error.
Fingerprintjs pointed out that before this, one of the ways for users to protect themselves was to block all JavaScript by default, only allowed by trusted sites, but this would make browsing the web quite inconvenient.
For macOS users, another option is to use a different browser.
However, for iPhones and iPads, this method does not work, and only works with versions prior to Safari 14.
(Transfer from The Epoch Times/Editor-in-charge: Ye Ping)
URL of this article: https://www.ntdtv.com/b5/2022/01/17/a103323205.html