Apple devices violate basic security protocol, exposing private data

posted Saturday Jan 22, 2022 by Scott Ertz

Apple devices have been violating same origin policy for the past 4 months, exposing private data to potential hackers. This means that a hacker could track your browsing history and access additional information, depending on the way those sites store data in your browser. This bug has yet to be fixed, so it's important to be aware of the potential dangers and take steps to protect yourself.

What is the Same Origin Policy?

The same origin policy is a basic security rule of the internet that prevents scripts from one site from making changes or accessing data from another. This rule helps to protect your private data and keep you safe online.

When you visit a website, your browser downloads a variety of scripts that allow the site to function. These scripts come from a variety of sources - including other websites that the site has linked to. The same origin policy ensures that these scripts can't interact with each other. This prevents a hacker from exploiting a vulnerability on one site to access data from another site.

Why is the Same Origin Policy Important?

The same origin policy is one of the most basic security measures on the internet and helps to protect your private data. Without it, hackers would be able to exploit vulnerabilities on websites to track your browsing history and access sensitive information like passwords and credit card numbers.

How did Apple break things?

Apple devices have been violating same origin policy for the past four months, exposing private data to potential hackers. This means that a hacker could track your browsing history and access additional information, depending on the way those sites store data in your browser.

The issue comes about because of the way the browser currently handles access to IndexedDB. This is the database that all browsers use to allow sites to store information. Normally, the database is only visible to the domain that created it. Under the current system, a copy of each database is created for each domain. This makes it easy for any site to ask for the names of the database and receive everyone's names. This becomes a problem with sites like Google, which uses the unique identifier as part of the database name, giving everyone access to information about your account.

This bug was introduced with iOS 15 in September of 2021 and has yet to be fixed. So far, there have been no reports of any malicious actors taking advantage of this security flaw, but it's important to be aware of the potential dangers.

Martin Bajanik of FingerprintJS is the researcher who discovered the vulnerability. He reported it to Apple in November of 2021. As of now, the company has still not patched the issue. Per standard security policies, the company reported the vulnerability publicly to allow security professionals to work on fixes when the company themselves will not.

F5 Live: Refreshing Technology

January 23, 2022 - Episode 616

Sunday Jan 23, 2022 (01:26:52)

Description

This week, Activision is getting a new home at Microsoft, the IRS is getting biometric data, and YouTube is getting a little more original.

Participants

Scott Ertz

Host

Scott is a developer who has worked on projects of varying sizes, including all of the PLUGHITZ Corporation properties. He is also known in the gaming world for his time supporting the rhythm game community, through DDRLover and hosting tournaments throughout the Tampa Bay Area. Currently, when he is not working on software projects or hosting F5 Live: Refreshing Technology, Scott can often be found returning to his high school days working with the Foundation for Inspiration and Recognition of Science and Technology (FIRST), mentoring teams and helping with ROBOTICON Tampa Bay. He has also helped found a student software learning group, the ASCII Warriors, currently housed at AMRoC Fab Lab.

Avram Piltch

Host

Avram's been in love with PCs since he played original Castle Wolfenstein on an Apple II+. Before joining Tom's Hardware, for 10 years, he served as Online Editorial Director for sister sites Tom's Guide and Laptop Mag, where he programmed the CMS and many of the benchmarks. When he's not editing, writing or stumbling around trade show halls, you'll find him building Arduino robots with his son and watching every single superhero show on the CW.

Opening

Powered by TeknoAXE

Nifty Gifties

Powered by Microsoft Store

IRS is requiring third-party facial recognition for online taxpayers

One thing we have learned over the past few years is that people are not comfortable with the idea of public biometric information. Whether it's Disney collecting fingerprints for pass holders or law enforcement scanning faces, people are not about it. But, despite the very public and loud backlash over the topic, we still see biometric data being collected for a lot of systems. The most recent comes to us care of the US federal government, in particular the Internal Revenue Service (IRS), who will begin requiring the use of facial recognition systems soon.

Piltch Point with Avram Piltch

Powered by PureVPN

Extra Life

Powered by Loot Crate

Activision Blizzard joins ever-growing Microsoft Gaming family

In what was a big surprise to some in the industry, Microsoft announced this morning that they had entered into an agreement to purchase Activision Blizzard. The companies have agreed to a $68 billion sale that will see the entirety of Activision Blizzard reporting directly to Microsoft Gaming CEO Phil Spencer. The move is not a huge surprise considering the implosion that has been happening over at Activision thanks to a series of revelations about inappropriate behavior within the company.

News From the Tubes

Powered by Malwarebytes