A flaw has been discovered in WebKit, the rendering engine of Apple’s Safari browser. This exposes the sites to the names of other sites visited in real time, and in some cases even personal identifiers.
You will also be interested
[EN VIDÉO] Kézako: how is data encrypted on the Internet? Cryptography is the oldest form of encryption. There are traces of its use until 2,000 BC. This technique still used today, especially on the Web, reveals its mysteries on video thanks to the Kézako program from Unisciel and the University of Lille 1.
On their blog official, specialist browser tracking service FingerprintJS unveiled a flaw in the WebKit rendering engine, which affects version 15 of Safari. The problem lies in its implementation ofAPIs IndexedDB and has the consequence of allowing websites to know the names of other sites visited.
IndexedDB is a tool present in all browsers which allows sites to store data on the user’s computer. When used correctly, each site only has access to the information it has recorded. However, due to this flaw, each time a site creates a database via IndexedDB, an empty copy is created in all other tabs, Windows and frames of the same session.
No updates yet
The content of the database is therefore not exposed, only the name. However, many sites include their name when creating their database, which is therefore visible to all other sites visited by the user. Additionally, some even include a user ID, as is the case with Youtube. This can therefore make it possible to identify the Internet user, or at least in the case of google, to retrieve the profile picture. And a site could voluntarily open another site in a frame, without the knowledge of the user, to obtain such information.
It’s not just Safari that’s affected. The flaw also affects third-party browsers on iPhone and iPad given thatApple requires the use of WebKit. the bug was reported on November 28, but Apple has yet to release an update. In the meantime, it is possible to use another browser on macOS, but there is no alternative on iOS and iPadOS.
Interested in what you just read?
.
fs1