Unlike Android, iOS has always been considered a largely secure operating system. Experts are largely in agreement on this point. Nevertheless, also occur in the iPhone security occasionally gaps. These errors can make your data publicly available in an emergency. A security researcher has now sometimes discovered such a bug in the Safari app for iOS.
iPhone security compromised
The Safari 15 version for macOS is sometimes affected, as well as all browsers that run on iOS and iPad OS. The IndexedDB program interface poses a not insignificant security risk there. “Every time a webpage interacts with a database, a new database with the same name is created in all other active frames, tabs, and windows […] created,” explains the software developer Martin Bajanik. With that comes a problem for iPhone security.
Windows and tabs would normally share the same session. This is only not the case if, for example, you change your profile or open a private window. In other words, websites can find out which pages you are still visiting. This is because the databases created while interacting with the IndexedDB are usually unique and site-specific. Many of them also use user-specific identifiers in the name of the respective database.
“Authenticated users can be clearly and precisely identified. Some well-known examples are YouTube, Google Calendar or Google Keep. All of these websites create databases that contain the authenticated Google user ID, and in the event that the user is logged into multiple accounts, databases are created for all of those accounts.”
Martin Bajanik (via FingerprintJS)
Google ID reveals your identity
For example, if the websites use your Google ID, your privacy and iPhone security are basically gone. With their help, services can assign you to a specific account that may even contain your real name. If you have a profile picture there, this is also accessible.
This not only means “that untrustworthy or malicious websites can learn the identity of a user”. Rather, this vulnerability in iPhone security allows for the linking of multiple separate accounts used by the same person.
According to inside digital, a patch for the vulnerability is already in the works. It is currently unclear when you will be able to download the corresponding update.
Source: FingerprintJS; inside digital