1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Safari 15 may have a serious security flaw, and there's no patch

    From TechnologyDaily@1337:1/100 to All on Mon Jan 17 13:45:04 2022
    Safari 15 may have a serious security flaw, and there's no patch in sight

    Date:
    Mon, 17 Jan 2022 13:31:59 +0000

    Description:
    Malicious actors could even access some private data saved in the Google account linked with Safari.

    FULL STORY ======================================================================

    Security experts have uncovered a major flaw in the latest version of Apples internet browser which is leaking browsing history and even some identity
    data saved in associated Google accounts.

    According to a blog post from cybersecurity service providers FingerprintJS, the problem lies in an Apple API - IndexedDB, used to store data in Safari
    15.

    Safari 15 has a security measure that prevents malicious pages, opened in one tab, to read the data generated by websites opened in another tab. According to FingerprintJS, IndexedDB API in Safari 15 does not abide by this policy (called the same-origin policy), and instead - a new (empty) database with
    the same name is created in all other active frames, tabs, and windows within the same browser session. No patch yet

    The researchers have also explained how the flaw can be leveraged to obtain Google account data. Googles services (for example, YouTube) generate databases containing the unique Google User ID in their names. As these IDs are used to access public information, such as a profile picture, other sites could see it, as well.

    To show how a website can learn any visitor's recent and current browsing activity, the researchers also built a demo which you can find on this link . At the moment, it detects 30 affected sites, but the list is probably a lot bigger.

    Right now, there doesnt seem to be a solution to the problem. As reported by The Verge , the problem even affects Private Browsing mode on Safari, and
    with Apples third-party browser engine ban on iOS, all other browsers are affected, as well.

    The flaw has been reported to the WebKit Bug Tracker in late November last year, but Apple is yet to issue an update for the browser, and remains silent on the matter.

    One option, suggested by the researchers, is to block all JavaScript by default and only allow it on trusted sites. However, this makes modern web browsing inconvenient and is likely not a good solution for everyone, they concluded. You might also want to check out our list of the best firewalls right now

    Via: The V e rge



    ======================================================================
    Link to news story: https://www.techradar.com/news/safari-15-may-have-a-serious-security-flaw-no-p atch-in-sight/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)