Apple developers have filled a serious gap in Safari’s WebKit sub-structure. The vulnerability allows websites to gain insight into browsing activities and, under certain conditions, to clearly identify users.
An apple According to WebKit change Several code modifications have been implemented for this, so the original error report is considered “checked”.
Same origin policy ignored
For some reason yet unknown, since version 15 Safari has ignored the “Same Origin Policy” and thus one of the basic security concepts on the web. Instead of just being able to read their own content, scripts, and databases, websites can also display IndexedDB databases for other websites visited in the current browser session. This quickly provides a very comprehensive insight into your internet browsing behaviour.
In addition, these databases may contain account identifiers – such as the Google Account ID. This could make it possible for an attacker to identify the user.
The gap has been open for months
A security researcher reported new vulnerabilities in Safari 15 to Apple last November, but it appears the company has not reacted for long. The group reacted only after widespread criticism and reports. The vulnerability appears to have been around since the browser was released with iOS 15, iPadOS 15, and macOS — until today. the page safarileaks.com Explains the problem.
Apple must now integrate the WebKit patch into its own operating systems or into the new version of Safari and deliver it to end customers. The update date is still unclear at the moment. An operating system update is required for iOS and iPadOS.
Mac users can switch to another browser until then. However, this doesn’t help iOS and iPadOS users because all browsers out there have to rely on WebKit for the infrastructure – so it has the same gap. Disabling JavaScript can reduce the problem somewhat, but it also makes many websites unusable.
(lbe)