Securing APIs properly is extremely important. Back in August 2021, the default configuration in Microsoft’s Power Apps portals led to 38 million records being leaked due to a publicly accessible API hosting confidential information. Now, security researchers have identified a similar bug in a Safari 15 API that can leak your personal data.
Security researchers over at FingerprintJS have located an issue in the implementation of the IndexedDB API which should follow the same-origin security mechanism where indexed databases, scripts, and documents of one origin should not be able to interact with objects from another origin.
However, IndexedDB violates this policy. The researchers have noted that every time a website communicates with a database, Safari 15 on macOS and all versions of the browser on iOS and iPadOS 15 create a new and empty, but shared, database in all active tabs, frames, and windows inside the same browser session. What’s worse is that this cross-origin duplicated database is created with the same name as the original which means that it’s easier for a malicious website author to determine the sensitivity of the data you are accessing.