October 3, 2023

A vulnerability in Apple’s IndexedDB API in Safari 15 allows websites to track users’ activity on other sites and even to reveal their identity.

Used in all major browsers, IndexedDB is a low-level browser API for storing client data, which follows the same-origin policy, to restrict the interaction of resources that have different origins. In general indexed databases are associated with only their specific origin.


But in Safari 15 on macOS and in the browsers running on iOS and iPadOS 15 devices, the IndexedDB API is violating the same-origin policy.

The existence of these “cross-origin-duplicated databases” means that arbitrary websites can learn what other sites the user is visiting in other tabs or windows, because database names are typically website-specific.

Websites such as Google Calendar, Google Keep, and YouTube, create databases contains authenticated user’s Google ID. Databases are created for all of the accounts a user is logged into. The Google User ID can be used to uniquely identify a specific Google account, and can be used with Google APIs to fetch available information on the account owner, including a user’s profile picture, at a minimum.


No user interaction is required for these data leaks to occur, as websites querying the IndexedDB API can learn of other sites in real-time. To protect themselves, Safari, iOS, and iPadOS users could block JavaScript on all sites that are not trusted, which is a drastic and inconvenient option. On macOS, users could switch to a different browser.

The only protection is to update your browser or OS once the issue is resolved by Apple.

Leave a Reply

%d bloggers like this: