Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This is possible because database names are typically unique and website-specific. It lets arbitrary websites learn what websites the user visits in different tabs or windows. “The fact that database names leak across different origins is an obvious privacy violation,” wrote Martin Bajanik, a software engineer at FingerprintJS, a startup that makes a device identification interface for anti-fraud purposes. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites. Since September’s release of Safari 15 and iOS and iPadOS 15, this policy has been broken wide open, research published late last week found. Without this policy, malicious sites-say, -could access login credentials for Google or another trusted site when it’s open in a different browser window or tab. The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin-meaning the protocol, domain name, and port of a given webpage or app-from interacting with resources from other origins. The violation results from a bug that leaks user identities and browsing activity in real time. For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies.
0 Comments
Leave a Reply. |