So Apple, one of the largest corporations in the world, leaders in technology, full of some of the smartest people ever born, have been building software for decades. Obviously Apple knows about modern security protocols and Policies in their field, using them adequately whenever needed… right?
This was a bug discovered at the end of November last year by the developers of FingerprintJS, A library used to identify specific machines better then with cookies or local files. When the developers discovered this bug, they had reported it to Apples bug tracker.
Some of the Background Information
The bug itself is relatively harmless, but due to how it has violated a standard in internet protocol, many issues have arisen because of it, some of them leading to you being able to be identified, even across different accounts. To talk about this bug, first we need to talk about Same-Origin Policy(SOP).
Websites, will use databases, usually implemented with IndexedDB (IDB), to store information on your computer, like preferences, details about what you did and other information. The information stored in these databases does not particularly matter for the bug, but the important thing is that any website can only see the databases that is in its tab. This means that if you have Facebook in one tab and Twitter in another, then they cannot see that there is another database, since they are in different frames.
Now the issue…
On Webkit 15, Apples browser engine, it stores data using an implementation of IDB. The people that found this bug put it quite well saying
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”
FingerprintJS: https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/
Why was it designed this way?
Now the question is why engineers at Apple made this decision? I am going to give some ideas on what thought processes may have lead to this, but do note that these are just theories, any of which are incredible unlikely to be accurate. These kinds of issues are not usually caused by one decision but a multitude of decisions and reasons.
- The first, and less likely of the two options, is that when apple intends to initialize a database they put it in every frame with its name, but only populate the right frames database. This is a very simplistic explanation of why there are multiple instances of empty databases and only one filled.
- The other, slightly more likely option, is that this was done intentionally as a security mechanism. By initializing an empty database sharing a name with a populated database in a different frame, should any origin attempt to modify another origins database, they will end up modifying the empty database instead, leaving the populated one unchanged.
Now Onto the Problem With This
The issue with this may not yet be apparent, what could the issue be a database as long as it’s empty. No data is being leaked. Well the issue come in with the name of the databases, especially when it comes to some of the biggest websites, like Google and YouTube.
The way that some of the websites have named their databases, they contain, for the example of Google, the user’s Google ID. This is a number uniquely identified to every google account, now able to be seen by any website running on Webkit 15. This is bad as any website can check the name of the the databases in its tab using the function IndexedDB.databases() which lists every database in it’s frame.
The issue is now uncomfortably clear. Any website that regularly checks that name of IDB databases in it’s frame will see not only a complete list of other websites the user is currently looking at, but is some cases, the Google ID of users, allowing them to uniquely identify someone.
So, What’s happening now?
Now this bug was reported at the end of November and recently Apple merged some proposed solution on the git page for their version of IDB, marking the bug as solved. However FingerprintJS has tested it and seen that this leak has not been fixed at all, while apple says it is working on a solution.
This bug in Webkit 15 shows why it is vital to keep up with standard practices, and to follow them, because when services have assumed this standard is in place, ignoring it can cause huge issues for both the sevice and the user.
If you have an IOS Device or a Mac with Safari 15 on it, they have made a demo for you to try the details of this bug and see it’s effects: Demo
References:
- https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/
- https://www.macworld.com/article/605562/safari-15-bug-expose-browsing-activity-personal-data.html
- https://nakedsecurity.sophos.com/2022/01/18/serious-security-apple-safari-leaks-private-data-via-database-api-what-you-need-to-know/
- https://portswigger.net/daily-swig/same-origin-violation-vulnerability-in-safari-15-could-leak-a-users-website-history-and-identity
- https://safarileaks.com
Your insight on this is very interesting! It is strange that such a humungous company has yet to fix this bug, especially with so many users in their databases. I wonder how long it will take them to fix this, or if they will wait for something more to become compromised because of this bug before they go ahead with a fix. It is still so strange to think that they would allow this at all. Very informative post!
I’m stunned by this information, even though I probably shouldn’t be that surprised. It seems like Apple made a big oversight while trying to implement the databases in the way they wanted to. Industry standards are so important because they are adequately tested, while Apple seems to have tried something different in their database implementation. I hope the industry keeps them accountable to take this seriously now and in the future as well.
“And this is why everyone should use Androids”.
jk jk.
Your article was so informative and intriguing – enough that I wanted to see if Apple users could “avoid” the bug by using only “private browsing” – or would private browsing only create a second session that contains another database.
Answer: Unfortunately no, the bug also affects private browsing.
Link: https://www.theverge.com/2022/1/16/22886809/safari-15-bug-leak-browsing-history-personal-information
Overall, this article enticed my curiosity and taste for learning! Well done!!
As an Android user, I’m honestly amazed that Apple users have such a glaring hole in their security. There are only two ways I can think of to fix this. Either Apple needs to remove this feature, or other big companies, like your example of Google, need to change their naming system for their databases. This actually makes me glad that I’m not using any Apple products, because this has just solidified in my mind that I’ve made the safer choice, financially and security wise.
Incredible post Tyson. I did not know that Apple had this kind of database issue where your personal information can be leaked to any other website, which is very scary. So, I believe that Apple should remove this feature from their Webkit 15 and keep up with modern practices to prevent these issues.
This is a very informative post! It is very surprising to me that Apple has not fixed this problem yet, considering the size of the company and how many people use these devices! As someone with an Apple phone, this is definitely concerning to read about and makes me wonder what other security concerns might exist on our devices that users just don’t know about, and probably wouldn’t ever know about until there is a leak. I definitely question using Apple products, and this has given me more to think about, thank you!
Interesting read. This is definitely a concerning issue, and shows that security should not be taken for granted in the digital world – as even a company as big as Apple can allow such problem to persist. As users, it is important to stay informed, protect our rights, and better hold organizations like Apple accountable for users’ security and privacy. The importance of keeping up with standard practices is also a great point!
For an Apple user, this is very concerning as their data could have been leaking for months now. It is surprising that even after Apple marked the bug as solved, other companies tested it and the leak has not been fixed at all. I wonder if other browsers like Google chrome, etc. are also affected by this issue or is it just Safari and I wonder if this issue doesn’t exist in Google chrome, then how many people would have switched to Google chrome as their main browser.
A great example why standards are in place and one should always abide to them (unless for VERY special circumstances). It is surprising to see that even major tech companies like Apple can be somewhat sloppy and – once again – reiterates how one should never fully trust a system, not even Safari. I find it especially concerning that Apple marked the bug as being resolved while it was in fact still in place. This differs greatly from the standards I would have expected from a company such as Apple. Thank you for the interesting content!
I think this is a great reminder that even though we hold companies to such a high standard, and even though they usually get things right, they are still staffed by human beings, and are still liable to make mistakes from time to time. All you can really hope for in the end is that these companies learn from their mistakes and don’t repeat them in the future, and that people wills till be willing to point out these flaws.
Anything you can do Apple can do better~
…or so they like to think.
I’ve always had a little bit of beef with Apple as a company. They’re staunchly against using anything called an international standard like USB-C, everything must be proprietary and belong to them, they’re staunchly against anything called “Right to Repair laws”, and they have a devoted cult following that swears by their products. So imagine my reaction when I see that they try to make their own database software and despite being a massive tech company manage to create a memory leak that actively compromises your privacy and fails to patch it twice?
In all seriousness though, I think Apple needs to learn to do away with trying to be so self centered in their actions. As the title of this post mentions, we have standards for a reason, and those standards are best when they’re followed, or you may just end up with implementing a tracker on a core piece of hardware.
Thanks for the post, I love hearing about Apple continuing to “innovate”.