A critical flaw in Webkit, the rendering engine used by browsers on macOS, iOS and iPadOS, could lead to users’ personal data, including account identifiers and browsing history, being leaked. The opening, discovered in November last year, has not yet been fixed and remains open, reaching users of browsers such as Safari, Chrome and Brave, the latter two being only in their mobile versions.
The opening, more specifically, is found in the IndexedDB API, which stores data from accessed pages to aid navigation. Under normal circumstances, the technology uses a “same origin” rule for applications to have access to the database, so that each domain can only read the data generated by itself; this, however, is not valid in the most recent versions of browsers in the aforementioned operating systems, leading to data exposure in case of access to malicious pages.
According to analysts at FingerprintJS, a company specializing in biometrics and fraud protection, Safari 15, as well as implementations of Chrome and Brave on iOS, the absence of this type of limitation is worrying, especially when considering its scope. Not only are we talking about popular browsers and operating systems, but also an engine used in some of the two most visited sites in the world, including names like Netflix, YouTube, Alibaba and Twitter, as well as services from Google and Dropbox.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
At risk are active sessions, whose logins create databases with the API. The flaw, according to experts, also affects the anonymous browsing of browsers, but in these cases, the exposure is smaller, being restricted only to the tab in use. If exploited, the vulnerability does not require user authorization, being compared by experts with a direct leak of browser history, even if it only affects a set of sites with specific features.
A demo page has been created by the experts so that users can check what data is subject to interception and how the information can be collected. According to FingerprintJS, the vulnerability was reported to Apple in November 2021, but remains unpatched.
As a protection measure, analysts recommend disabling all JavaScript content, an alternative that can also cause navigation problems and prevent legitimate elements from loading. On macOS, users can use browsers that do not use WebKit — this is the case with Chrome and Firefox, for example — while it is not possible to escape this technology on iOS and iPadOS.
