WebKit engine of Safari 15 browser detected with a critical issue in the implementation of IndexedDB API resulting in leaking of browsing activities & exposing user identity...

Continue reading
Security analysts at Fingerprintjs discovered a critical browser issue that could leak the browsing history and even expose the identities of internet users. The issue has been detected in the implementation of IndexedDB API in the Webkit browser engine of Safari 15 on macOS and all browsers on iOS and iPadOS 15.
IndexedDB is a popular low-level browser API supported by all the major browsers across the world wide web. It is primarily designed to cater to client-side storage without any storage capacity limitations. It’s supported in all major browsers and is very commonly used. The API is generally deployed by many developers who choose to use wrappers abstracting most of the technicalities while providing a demystified and intuitive usability with a more developer-friendly API for caching web application data for viewing preloaded webpages offline. Its modules, dev tools, & browser extensions can also store sensitive information.
To prevent any security events related to cross site scripting, like any other modern technologies found in browsers, IndexedDB strictly follows the same-origin policy, which restricts the interaction of documents or scripts from one origin to other origins, with resources being the fundamental security mechanism.
As the origin is defined by hostname (domain), scheme (protocol) & ports of the URL used to access it, so does the specific origin get associated with indexed databases. However, if associated with different origins, documents or scripts can't possibly interact with databases related to other origins.
IndexedDB follows the same-origin policy, but IndexedDB API violates the same policy throughout the implementation of Webkit used in Safari web browser. And not only that, it continues to impact all the browsers of iOS & iPadOS using the same browser engine. As the implementation of IndexedDB in Safari 15 allows the name of the database to be drawn by any website within the same session, everytime a new database (empty) with the same name is created in all other active frames, tabs, and windows.
Although tabs & windows usually share the same session, unless switched to a different profile. It is observed that database names feature user-specific identifiers, potentially leading to user identification disclosure. While it also translates that authenticated users are prone to get exposed as all of these sites create individual databases for multiple logged-in users.
Around 1000 Alexa's top websites were visited in order to infer how IndexedDB is used in the website and can be identified throughout their interaction. However, the results reflect an underwhelming value of 30 websites detected to interact with indexed databases directly over their landing page without any authentication or additional user interaction. The tracking prevention system of Safari blocks the indexed databases named as universally unique identifiers (UUIDs) created by subresources like ad networks to avoid the exposure of database names. And the same can also be prevented by adblocker extension or blocking all Javascript execution. Safari 15's private mode remains affected; however, every browsing session is restricted to a single tab. Additionally, if the actual problem lies within the WebKit, then any browser using it may also remain vulnerable. To determine the actual impact on your browser, kindly head over to the demonstration page, which generates the API leak.

As a part of the mitigation techniques, besides blocking all the javascript, which can be a drastic measure, end up resulting in functionality issues on many web pages, moving towards non-WebKit-browsers could be a viable option but only limited to macOS ecosystem, until browser or OS updates become available.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.