Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fingerprintjs/blog-indexeddb-safari-leaks-demo
Demo showcasing information leaks resulting from an IndexedDB same-origin policy violation in WebKit.
https://github.com/fingerprintjs/blog-indexeddb-safari-leaks-demo
demo indexeddb privacy safari security-vulnerability web-application webapp
Last synced: 2 months ago
JSON representation
Demo showcasing information leaks resulting from an IndexedDB same-origin policy violation in WebKit.
- Host: GitHub
- URL: https://github.com/fingerprintjs/blog-indexeddb-safari-leaks-demo
- Owner: fingerprintjs
- License: mit
- Created: 2021-12-25T12:36:42.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2023-01-16T08:42:28.000Z (about 2 years ago)
- Last Synced: 2024-04-08T20:04:21.689Z (10 months ago)
- Topics: demo, indexeddb, privacy, safari, security-vulnerability, web-application, webapp
- Language: JavaScript
- Homepage: https://safarileaks.com
- Size: 412 KB
- Stars: 101
- Watchers: 8
- Forks: 16
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Safari 15 IndexedDB Leaks
## Description
This demo showcases information leaks resulting from an [IndexedDB same-origin policy violation](https://fingerprint.com/blog/indexeddb-api-browser-vulnerability-safari-15) in [WebKit](https://webkit.org/) (a browser engine primarily used in Safari, as well as all iOS and iPadOS web browsers). You can test this demo on all affected browsers: Safari 15 on macOS, or any browser on iOS and iPadOS 15.
The demo illustrates how any website can learn a visitor's recent and current browsing activity (pages visited in different tabs or windows) using this leak.
For authenticated visitors the demo can leak Google User IDs and profile pictures (if set).
[Read our article](https://fingerprint.com/blog/indexeddb-api-browser-vulnerability-safari-15) or watch our [screencast on YouTube](https://www.youtube.com/watch?v=Z7dPeGpCl8s) for more information.
## Quick start
You need to install [Node.js](https://nodejs.org/) and [Yarn](https://yarnpkg.com/) to run the application.
To fetch Google profile pictures as part of the demo, you'll need to provide an [People API key](https://developers.google.com/people/v1/how-tos/authorizing#APIKey). To do that, rename the `.env.example` file to `.env`, open `.env` and add a valid key.
Open this directory in a terminal and run:
```bash
yarn install
yarn start
```
We use `eslint` to check the code style:
```bash
yarn lint
```