[ad_1]
The past For four months, Apple iOS and iPadOS devices and Safari browsers have broken one of the most sacred security rules on the Internet. Breach arises from a wrong which raises user awareness and browsing in real time.
The the same starting process is a defense mechanism that prevents documents, documents, or other material imported from another source — that is, the domain, domain name, and port of a particular site or program — from being compromised by imported materials. Without this rule, bad pages — such as, badguy.example.com — may get incoming licenses. Google or another trusted page will be open in another browser window or tab.
Violation of Clear Confidentiality
As of September the release of Safari 15 and iOS with iPadOS 15, the process is publicly broken, a study published last weekend he found. Monga demo page reveals well, it is difficult for one page to study open areas in other tabs or windows, as well as IDs and other information related to other pages.
“The fact that the names of the libraries are coming out in different ways is a breach of secrets,” said Martin Bajanik, a researcher at security company FingerprintJS. He continued:
Allows unconnected websites to study websites that the user visits on various tabs or windows. This is possible because database names are often unique as well as websites. Also, we noticed that in some cases, websites use user identifiers in database names. This means that authorized users can be uniquely identified and precisely identified.
The attacks are still working Macs running Safari 15 and on any browser running on iOS or iPadOS 15. As the display shows, safarileaks.com can detect the presence of more than 20 websites — Google Calendar, YouTube, Twitter, and Bloomberg among them — open in other tabs. or windows. With more work, a real attacker can get hundreds or thousands of pages or pages to identify.
When users log on to one of these websites, the vulnerabilities can be misused to disclose their activity and, in many cases, detect information in real time. When you sign in to a Google account opened elsewhere, for example, the display page can get the internal credentials that Google uses to identify each account. The credentials can be used to identify who owns the account.
Developing Awareness
The loss is due to the way Webkit browser engine uses IndexedDB, a software interface supported by all major browsers. It contains a lot of data and works to create a repository as the new page moves. Background tabs or windows can query the IndexedDB API on existing storage. This allows one page to learn in real time what other websites visit.
Websites can also open any page in the iframe or pop-up window to trigger the indexing of the IndexedDB page. By inserting an iframe or popup in its HTML code, the page may open another page to cause an IndexedDB loss to the site.
“Whenever a web site connects to a repository, a new (blank) repository with the same name is created in frames, tabs, and all other windows within the same browser,” wrote Bajanik. “Windows and tabs usually share the same section, unless you switch to another profile, in Chrome for example, or open a private window.”
[ad_2]
Source link
