If you think iPhones are far secure than other devices, think again. Turns out a new vulnerability has been found on the iOS 15 version of the Safari web browser that exposes users and their activities to open websites in real-time. FingerprintJS called upon the critical vulnerability that needs to be fixed at the earliest before it goes around doing destruction.
According to the report, the vulnerability was found on IndexedDB API that stores an ample amount of structured data on the client-side storage i.e. your phone. It is a low-level API used by many web browsers.
The report reads that the iOS 15 version of Safari web browser violates the same-origin security mechanism of IndexedDB. Same-origin policy dictates if and how scripts gathered from one origin along with its resources are not available for activities from other origins. In simple words, the same-origin policy stores details related to the user and online activities stemming from one tab on the Safari web browser and doesn’t lets another tab or frame or window from interacting with the same.
Jake Archibald on Twitter: “This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT / Twitter”
This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT
However, since the bug is violating this policy, it means other websites can read the stored database gathered from other origins and that happens in real-time. The tab might be in the background while the user has opened another active tab where the former will still know what’s going on in the new tab.
FingerprintJS further puts an example of Google ID which creates a unique identifier across all its apps and websites. When a user visits Google Calendar, YouTube, or Google Keep (or others), he/she will be using their Google ID with a unique database name attached to it. However, the vulnerability can now leak out details on users’ personal information, activities, and more across other websites as well.
Not using Safari is a viable option, however, Apple’s handling of browser engines can be a bummer. At the time of writing this, Apple acknowledged the issue and it is working on a fix that is yet to arrive to end-users. Both iOS 15.3 and macOS 12.2 are in the works probably with the bug fix although we will have to wait for the update to arrive from Apple’s end.
You might also like
More from iOS
Google currently dominates the OS market globally and that is likely to remain the same for years to come. However, …