The bug affects Safari 15 users on MacOS and all browsers on iPadOS and iOS by essentially making some of your browser data vulnerable to attackers. We’re talking so vulnerable that there is a website created to demo just how easy it would be to steal your data by exploiting this security flaw. What’s actually happening here is that the “IndexedDB” API inside these browsers is letting websites access the confidential database of other websites. In effect, any website is capable of seeing sensitive info, like your Google account details, when they shouldn’t be allowed to.
What is IndexedDB ?
Index Databased API (IndexedDB) is a low-level API part of Apple’s WebKit browser engine. It is used to manage NoSQL database of structured data objects such as files and blobs. In simple words, it stores data on your device pertaining to what websites you’ve visited, making them load quicker when you visit them next time. Each domain has its own database with its own data inside, and since IndexedDB is client-side storage, it holds a lot of data that can be exploited to, essentially, hack you. The people who made IndexedDB know this and aren’t dumb enough to leave such an API unattended for malicious hackers. That’s why IndexedDB follows the “Same-origin policy“. A security mechanism designed to make sure that no foreign website can access another foreign website’s stored data. The data stored in one domain stays in that one domain and cannot be accessed across multiple different domains. For instance, Facebook can’t just look into the IndexedDB database for YouTube to see what your log-in credentials are for that site. The same-origin policy restricts scripts sourced from one origin to interact directly with a different origin, preventing a site to talk to another.
Why this is dangerous
Unfortunately, this same-origin policy is being exploited as we speak which allows any site that wants to, access databases for other websites. The names of these databases is what gets exposed, not the content itself. You may think that’s safe enough as only your browser history and the recent website you visited can be identified by this, but things are more complicated than that. Intricate networks like that of Google‘s utilize unique user-specific identifiers in database names. That means that authenticated users can be uniquely and precisely identified. And if that user has more accounts linked that all of those also become exposed. With this, hackers can crack your account easily stealing your data with just your Google username alone. From there, the hacker can work their way in deeper and collect more information behind your back without you even knowing. Even worse, Safari’s built-in private mode does not protect against this exploit. In fact, none of the browsers so-called private modes are safe here. FingerprintJS reported this bug to Apple on November 28th of last year immediately upon discovering it. Since then, Apple has made no strides to rectify it or even made a comment when asked to. Right now, the exploit is at large and with no updates in sight, it is as dangerous as ever.
What you can do right now
There isn’t really anything potent you could do combat or prevent this from happening. The only solution on MacOS is to switch browsers entirely but you don’t even get that on iOS and iPad OS. On both of those, nothing can be done as all browsers are affected. You could turn off all JavaScript but that would make it incredibly annoying to browse the web as without JS, everything would just load wrong (slower, out of order, broken here and there, etc). So, your best bet is to just wait and hope for an update from Apple as soon as possible that would patch up this bug. Till then, the awareness of this exploit existing will perhaps somewhat aid in staying safe. Share this article with anyone you know who uses Safari on MacOS or any browser on iOS and iPad OS so they can also stay on the safe side till we see an update.