Blog Layout

Apple Safari Bug May Leak Personal Information And History

sccomputerguys • Feb 01, 2022

There was a recently discovered issue with the way the IndexedDB API was implemented in Safari's WebKit engine.

This is giving IT professionals who work in an environment dominated by Apple products heartburn. The faulty implementation allows or could allow an attacker to intercept leaking browser activity in real time including the user IDs associated with vulnerable machines.

Indexed DB is a commonly used API that has a robust client-side storage system with no capacity limits.  Normally it is used for caching web application data so users can view it offline at a later date but of course, it can also be used to store sensitive information.

To prevent data leaks IndexedDB developers followed the "same-origin" policy which controls which resources are allowed to access each piece of data.

Unfortunately, researchers at FingerprintJS discovered that the IndexedDB API doesn't follow the same-origin policy used by Safari 15 on macOS and the difference in policy could lead to the disclosure of sensitive information.

In order to be impacted by this issue a user has to log onto websites like YouTube and Facebook or visit service portals like Google Keep or Google Calendar.  Doing so creates a new IndexedDB database and appends the Google Username.

According to the researchers who first discovered the bug:

"We checked the homepages of Alexa's Top 1000 most visited websites to understand how many websites use IndexedDB and can be uniquely identified by the databases they interact with. 

The results show that more than 30 websites interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate.  We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page."

Worst of all is there's no good mitigation strategy here.  Disabling all JavaScripts would work but would almost certainly cause other applications to fail that your organization relies on. So we're waiting on Apple to provide a fix.  The good news is that they've got a solid reputation for responsiveness so we should not have to wait long.

You May Need To Replace Old Cisco VPN Routers

By sccomputerguys 22 Jul, 2022
Do you own one or more of the following products made by Cisco? The RV110W Wireless-N VPN Firewall The RV130 VPN Router The RV130W Wireless-N Multifunction VPN Router The RV215W Wireless-N VPN ...

Some Requested Features May Be Coming To Microsoft Teams

By sccomputerguys 21 Jul, 2022
Do you use Microsoft Teams?  If so, you'll be thrilled to know that the Redmond Giant is continuing to pour resources into improving the software with a specific focus on audio and ...

It May Be Time To Update Your Business Logo

By sccomputerguys 20 Jul, 2022
Corporate branding can be worth its weight in gold and certain images are absolutely iconic.  The Golden Arches, the Nike "swoosh," and Apple's Apple all come to mind. Logo images give companies ...

Researchers Find New CPU Security Vulnerability

By sccomputerguys 19 Jul, 2022
Remember the Heartbleed scare we had a couple years back?  It was a nasty side-channel attack that was somewhat exotic and difficult to pull off, and it was absolutely devastating and sent ...

Ransomware Hackers Have Set Their Sights On Exchange Servers

By sccomputerguys 18 Jul, 2022
Microsoft Exchange servers are once more in the crosshairs of hackers around the world.  Most recently, hacking groups have been specifically targeting them to deploy BlackCat ransomware. As is common among ransomware ...

The Surprising Ways Mobile Technology Impacts Our Lives

By sccomputerguys 16 Jul, 2022
If you grew up in the days before the internet, it's absolutely staggering to think of all the ways that mobile technology has changed our lives (and mostly for the better). Remember ...

Edge Will Replace Internet Explorer After It Is Gone

By sccomputerguys 15 Jul, 2022
It may seem as though Internet Explorer is the browser that will not die, but according to Microsoft, it is now a step closer to breathing its last virtual breath. Microsoft has ...

New Panchan Botnet Targets Linux Servers

By sccomputerguys 14 Jul, 2022
If you're involved with IT Security at any level and if your network includes Linux servers, keep a watchful eye out for the new Panchan botnet. It first appeared in the wilds ...

How To Protect Your Company With Cybersecurity Awareness

By sccomputerguys 13 Jul, 2022
These days, companies spend significant sums of money to protect themselves from cyber criminals.  The threat matrix is vast, and attacks can come from almost any quarter. That is why many companies ...

Data Breach Hits One Of America’s Largest Healthcare Providers

By sccomputerguys 12 Jul, 2022
Do you receive healthcare of any kind from Kaiser Permanente?  If so, be aware that they recently published a data breach notification indicating that an unidentified attacker accessed an email account that ...
More Posts
Share by: