Bug causes Safari and iOS user data leak in real time
Apple has a reputation for super-slick user interfaces and solid data security. Which is why it’s unfair that one bug can have such a serious impact.
Large-scale, privacy-related bugs like this one can erode consumer confidence and the collateral damage that a brand’s reputation faces is considerable - especially for a ‘household namer’ like Apple.
So what’s happened?
Since September, Apple’s iOS and iPadOS devices and Safari browsers have undermined a cornerstone element of internet security: protecting personal user information.
The problem occurred because of a breach of the same-origin policy - a mechanism that, according to Mozilla, “helps isolate potentially malicious documents, reducing possible attack vectors.”
Here’s what you need to know about Apple's bug in (just over) 300 words.
How does the leak work?
Essentially the same-origin policy stops documents (or other content) loaded from one origin from interacting with another. When not used correctly, malicious sites can access personal information from logins for any application from another trusted site (like Google or Facebook for example) when it’s open in another tab.
Ars Technica give an excellent breakdown of the nitty gritty:
“[Bad] websites can also open any website in an iframe or pop-up window in order to trigger an IndexedDB-based leak for that specific site. By embedding the iframe or popup into its HTML code, a site can open another site in order to cause an IndexedDB-based leak.”
Why is the leak bad?
When user data is unprotected in this way it’s never great news. The biggest risk here comes from the fact that the user's personal information - information that could potentially be used to identify them - is unprotected.
As Fingerprint JS explain, “not only does [the leak mean] that a malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.” This suggests that an untrusted site could gather detailed information on an individual from multiple sources, helping it build up a more clear picture of who the individual is.
The tab could be running in the background, without the user knowing, and without requiring any specific user action.
How to protect yourself
Other than avoiding Safari, iPadOS and iOS, sadly there’s not a great deal users can do. One option suggested by FingerprintJS may be to “block all JavaScript by default and only allow it on sites that are trusted”.
One key thing to remember is to update your browser as soon as Apple resolves the issue.
If you're looking to stay one step ahead of software bugs, we'd be more than happy to see how we can help improve your testing.