Security Bits Logo no alpha channel

Security Bits — 23 January 2022

Feedback & Followups

  • 🇺🇸 Un-redactions in an ongoing antitrust case against Google led by the state of Texas have revealed more details on how Google abuse their position of power in the ad world — in effect, they represent both parties in an auction they run and profit from and use that to inflate their earnings: www.wired.com/…
  • Apple have patched the HomeKit bug we talked about last time: Apple Releases iOS 15.2.1 Update That Fixes HomeKit Bug — www.macobserver.com/…
  • 🇷🇺 Russian authorities claim to have arrested key members of the REvil ransomware gang responsible for the Colonial Pipeline attack in the US — nakedsecurity.sophos.com/… & krebsonsecurity.com/…
  • 🇺🇸 The bill to force side-loading on mobile devices continues to make its way through the legislative process, and Apple continue to be deeply unhappy about it — www.imore.com/…

Deep Dive 1 — 🧯 The Safari 15 Data Leak Bug Reported by FingerprintJS

The folks at FingerprintJS (a grey-hat company that sells browser fingerprinting services) have released details of a subtle privacy leak in Safari 15 on iOS & macOS.

TL;DR — there is a leak, but it’s extremely limited, and nowhere near as bad as most of the headlines would make you believe.

Cookies are an age-old mechanism for storing small snippets of unstructured data in our browsers. Websites had browsers cookies, and the browsers store them until the next time they visit the same website, at which point they hand them back. The information they store is literally a string of text.

Modern web apps (so-called progressive web apps) have valid reasons for storing more data in a more structured way within the browser, so the IndexedDB API was developed to allow JavaScript to store structured data in the browser.

Like cookies and JavaScript in general, IndexedDB databases should be protected by browsers’ same-origin policy. In Safari 15 that’s almost completely true, but not quite. Safari doesn’t leak the contents of one website’s local database to JavaScript running on another website (that would be a catastrophic failure), but it does leak the names of all the databases that exist, and the databases are named for the URLs of the web apps that created them. This means one website can know you use another website if an appropriately named IndexedDB database exists. Because the databases are named for the URLs that created them, and because some sites embed unique identifiers in their URLs, the database names also leak those identifiers. It would be a catastrophic security blunder to embed secrets in web app URLs, so these leaked IDs are not going to be things like keys or passwords, but more generic tokens like session or user IDs.

Apple are aware of the bug and working on a fix.

Until Apple patch this bug, it’s possible for a malicious website to know you use any other website that uses IndexedDB local storage, and depending on the site, also the user you log in as. No actual data is leaked.

Links

Deep Dive 2 — iCloud Private Relay Teething Troubles

It’s been a very confusing few weeks in terms of Apple’s iCloud Private Relay.

First and foremost, remember this is still a beta feature!

The first development was new that EU carriers asking the European Commission to ban iCloud relay because of ‘digital sovereignty’ and because it hides data from them. I’ve tried to read their reasoning, but it just looks like technobabble to me. My honest opinion is that it’s intended to sound technical and intimidating, but not actually say anything, because they’re basically cranky about it preventing them spying on their customers to use monetise them as a second income stream.

This was followed a few days later with reports that some American users were unable to use PrivateRelay, and that it was being blocked by carriers. Initially many in the tech press jumped to the conclusion that it must be American carriers being evil, but it turns out to be more complicated than that.

There is still a lot of confusion, but some of all of the following three things are going on:

  1. Some carriers are intentionally disabling the feature for some customers, but for a really good reason — those customers have chosen to enable parental controls on their internet connection, and that’s literally impossible with PrivateRelay enabled. (How could the carrier filter web connections it can’t see?)
  2. There exists an obscure per-cellular-network toggle for controlling privacy protection that overrides the PrivateRelay toggle in the iCloud preferences. Some American users found that obscure toggle disabled, and it’s not at all clear why that is. It could be a setting pushed down by carriers.
  3. American carriers are claiming the latest version of iOS introduced a bug that’s disabling the feature. Apple has denied this, saying they didn’t change the PrivateRelay code at all in that update.

The situation in Europe is clear as glass — the carriers want permission to prevent users protecting themselves from being spied on, but the situation in America is clear as mud, the carriers could be up to no good, or it could be a bug.

Links

❗ Action Alerts

Worthy Warnings

Notable News

Excellent Explainers

Interesting Insights

Palate Cleansers

  • 🎦 A physicist on TikTok explains how gravity is the weakest of the forces – shared by Allison and recommend following @evanthorizon: www.tiktok.com/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top