Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Safari Bug Leaks Your Google Account Info, Browsing History

Safari Bug Leaks Your Google Account Info, Browsing History

There’s a problem with the implementation of the IndexedDB API in Safari’s WebKit engine, which could result in leaking browsing activity in real-time and even user identities to anyone exploiting this flaw.

IndexedDB is a widely used browser API that is a versatile client-side storage system with no capacity limits.

It is typically deployed for caching web application data for offline viewing, while modules, dev tools, and browser extensions can also use it to store sensitive information.

To prevent data leaks from cross-site scripting attacks, IndexedDB follows the “same-origin” policy, controlling which resources can access each piece of data.

However, FingerprintJS analysts discovered the IndexedDB API doesn’t follow the same-origin policy in the WebKit implementation used by Safari 15 on macOS, leading to the disclosure of sensitive data.

This privacy violation bug also impacts web browsers using the same browser engine in the latest iOS and iPadOS versions.

The problem in Safari 15

By violating the same-origin policy, the implementation of IndexedDB in Safari 15 on iOS, iPadOS, and macOS allows any website to draw the database names created in the same session.

Since the database names are typically unique and website-specific, this is essentially like leaking the browsing history to anyone.

To make matters worse, some database names feature user-specific identifiers (after login), so this API leak could potentially lead to user identification.

Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers

Impact and mitigation

According to the analysts, identifying someone through this flaw requires logging in and visiting popular websites such as YouTube and Facebook, or services like Google Calendar, and Google Keep.

Logging in on these sites creates a new IndexedDB database and appends the Google User ID on its name. When multiple Google accounts are used, individual databases are created for each of them.

“We checked the homepages of Alexa’s Top 1000 most visited websites to understand how many websites use IndexedDB and can be uniquely identified by the databases they interact with,” mentions the FingerprintJS report.

“The results show that more than 30 websites interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate.”

“We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page.”

In some cases where subresources create UUID (universally unique identifiers) databases, Safari’s tracking prevention systems intervene to block the leak of information. This positive side-mitigation effect is further enhanced if ad-blocking extensions are used.

The private mode in Safari 15 is still affected, but each browsing session is restricted to a single tab. Hence, the extent of information that could be potentially leaked is at least limited to websites visited through that one tab.

Note that since this is a problem in WebKit, any browser using this particular engine (e.g., Brave or Chrome for iOS) is also vulnerable.

To determine the bug’s impact on your browser, you may visit this demonstration page, which reproduces the API leak.

Also Read: The necessity of conducting penetration testing and vulnerability assessment

Safari on iPadOS 15.2 leaking browsing history
Safari on iPadOS 15.2 leaking browsing history (Bleeping Computer)

The vulnerability was reported to WebKit Bug Tracker on November 28, 2021, and at the time of writing this, it’s still unaddressed.

One way to mitigate the problem until security updates become available is to block all JavaScript, but this is a drastic measure bound to cause functionality issues on many web pages.

Switching to a non-WebKit-based web browser is the only viable solution, but it only applies to macOS. On the iOs and iPadOS, all web browsers are affected.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us