Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs

image
A security vulnerability in Apple’s browsers for macOS, iOS and iPadOS can lead to information disclosure, researchers have warned. Apple has just marked the issue as “resolved,” but it will take some time for the fixes to roll out, they said, so users should implement mitigations. According to researchers at FingerprintJS, the bug is a same-origin policy violation. Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server. Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information. In this case, the specific issue exists in Safari 15’s implementation of the IndexedDB API, researchers said in a recent posting. If exploited, cyberattackers could use a malicious website to track a victim’s internet activity and could possibly uncover the user’s identity. “IndexedDB is a browser API for client-side storage designed to hold significant amounts of data,” explained researchers at Malwarebytes, in a Wednesday overview of the original analysis. “The researchers found that the current version of WebKit, the browser engine that powers Safari…can be tricked into skipping the same-origin check. To put it simply, the names of all…

Source