Apple devices violate basic security protocol, exposing private data
posted Saturday Jan 22, 2022 by Scott Ertz
Apple devices have been violating same origin policy for the past 4 months, exposing private data to potential hackers. This means that a hacker could track your browsing history and access additional information, depending on the way those sites store data in your browser. This bug has yet to be fixed, so it's important to be aware of the potential dangers and take steps to protect yourself.
What is the Same Origin Policy?
The same origin policy is a basic security rule of the internet that prevents scripts from one site from making changes or accessing data from another. This rule helps to protect your private data and keep you safe online.
When you visit a website, your browser downloads a variety of scripts that allow the site to function. These scripts come from a variety of sources - including other websites that the site has linked to. The same origin policy ensures that these scripts can't interact with each other. This prevents a hacker from exploiting a vulnerability on one site to access data from another site.
Why is the Same Origin Policy Important?
The same origin policy is one of the most basic security measures on the internet and helps to protect your private data. Without it, hackers would be able to exploit vulnerabilities on websites to track your browsing history and access sensitive information like passwords and credit card numbers.
How did Apple break things?
Apple devices have been violating same origin policy for the past four months, exposing private data to potential hackers. This means that a hacker could track your browsing history and access additional information, depending on the way those sites store data in your browser.
The issue comes about because of the way the browser currently handles access to IndexedDB. This is the database that all browsers use to allow sites to store information. Normally, the database is only visible to the domain that created it. Under the current system, a copy of each database is created for each domain. This makes it easy for any site to ask for the names of the database and receive everyone's names. This becomes a problem with sites like Google, which uses the unique identifier as part of the database name, giving everyone access to information about your account.
This bug was introduced with iOS 15 in September of 2021 and has yet to be fixed. So far, there have been no reports of any malicious actors taking advantage of this security flaw, but it's important to be aware of the potential dangers.
Martin Bajanik of FingerprintJS is the researcher who discovered the vulnerability. He reported it to Apple in November of 2021. As of now, the company has still not patched the issue. Per standard security policies, the company reported the vulnerability publicly to allow security professionals to work on fixes when the company themselves will not.