Season 7 Episode 2 Jan 20, 2022

Safari 15’s IndexedDB Vulnerability, An Attack of the Wordle Clones, Walmart Ponders NFTs, and More

Pitch

Tough luck for now if your browser uses WebKit.

Description

In this episode, we talk about Walmart’s plans to get into NFTs and cryptocurrency, telecom operators starting to block Apple’s iCloud Private Relay, and an attack of the Wordle clones. Then we speak with Valentin Vasilyev, co-Founder and CTO at FingerprintJS, whose team spotted a vulnerability in Safari 15’s IndexedDB API.

Hosts

Saron Yitbarek

Disco - Founder

Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.

Josh Puetz

Forem - Principal Engineer

Josh Puetz is Principal Software Engineer at Forem.

Guests

Valentin Vasilyev

FingerprintJS - CTO

Valentin Vasilyev is an entrepreneur and open source enthusiast. He co-founded FingerprintJS in 2020 based on the GitHub project he started in 2012.

Show Notes

Audio file size

26621408

Duration

00:27:44

Transcript

[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.

 

[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.

 

[00:00:21] SY: This week, we’re talking about Walmart’s plans to get into NFTs and cryptocurrency, telecom operators starting to block Apple’s iCloud Private Relay, and an attack of the Wordle clones.

 

[00:00:34] JP: Then we’ll speak with Valentin Vasilyev, Cofounder and CTO at FingerprintJS, whose team spotted a vulnerability in Safari’s 15 IndexedDB API.

 

[00:00:44] VV: When he was looking at IndexedDBs, he saw IndexedDBs that somehow were copied from other origins or other frames or tabs into his session and he was very surprised.

 

[00:00:57] SY: So last week, we had a really great interview with Dr. Merav Ozair, leading blockchain expert and FinTech professor at Rutgers Business School about NFTs and how she felt that more and more big companies dipping their toes into the use of them will take us into a more serious wave of societal and economic impact of the technology.

 

[00:01:18] MO: Even the internet, it started with the hype, right? The bubble, right? Everyone wanted to get in. Everyone had an idea. But eventually it settled with the real use-cases, the real implementation of what the internet is and is not with the real applications. Right? So we’ll get there. And I’m happy about it, at least their interests, and because of that interest, you can see brands like Dolce & Gabbana getting into that, Gucci getting into that, Burberry, Nike, Adidas. So serious businesses are now thinking about the business use cases. So it’s good that we have that hype because that’s what will lead us to what I call the real thing, the economic implementations.

 

[00:02:05] SY: Well, this week, CNBC reported that one of the most unlikely billion-dollar companies, Walmart, has filed several trademarks that seem to indicate that they intend to offer virtual goods as well as virtual currencies and NFTs. The American Multinational Retail Corporation filed a total of seven trademark applications on December 30th of 2021. In a statement, Walmart said that they are, “Continuously exploring how emerging technologies may shape future shopping experiences.” So I will say that a lot of times companies file for patents and trademarks of things that don’t actually get used. So caveat, right? That’s not necessarily saying that we’re guaranteeing or they’re guaranteeing they’re going to do something. But Walmart getting into NFTs?

 

[00:02:59] JP: Like what the heck. There was a video that went around, I think it was last week, that it reported to show some virtual reality mock-ups for Walmart. And if you dug into the video a little bit, it turns out it was like three or four years old, which actually was comforting because the video was so janky.

 

[00:03:17] SY: Okay, but it was from Walmart?

 

[00:03:19] JP: It was from Walmart. It was like what they envisioned the virtual reality shopping experience being like but like four years.

 

[00:03:25] SY: Oh, I see. Okay.

 

[00:03:26] JP: So it was really hokey. I wonder if in the future we’ll look back upon this time and say like, “Wow! Companies were really, really optimistic, but it didn’t pan out.” Think about like 10 years ago, 15 years ago, all the hype about the information superhighway and how you were going to live your life online, and we do do that. Yes.

 

[00:03:51] SY: We got to do that.

 

[00:03:52] JP: Right. But if you take a look at some of those promotional videos from 15 years ago about how life is going to be like with us living in the fast-paced information, super highway lanes…

 

[00:04:05] WOMAN: There will be a road. It will not connect two points. It will connect all points. Its speed limit will be the speed of light. It will not go from here to there. There will be no more there! There will be no more there! There will be no more there. We will all only be here.”

 

[00:04:31] JP: It doesn’t look like that at all. It’s crazy.

 

[00:04:34] SY: So there’s so many things that are interesting about Walmart getting into NFTs. One is I don’t really view Walmart as a tech company, first of all, right?

 

[00:04:41] JP: Right. Yes, of course.

 

[00:04:42] SY: They’re kind of like classic retailer. So there’s kind of that, but there’s also this idea that with NFTs, the whole vibe is supposed to be like exclusivity and like one time drops and collectible items and just kind of this very exclusive, private, super special. And Walmart is like the opposite of that. Walmart is like for the everyday person, everyday low prices, anybody can get it. So like even if companies getting into NFTs was more normal, Walmart getting into NFTs feels so against the ethos of Walmart.

 

[00:05:16] JP: I mean, you need to get some breads and butter, some NFTs, you know, your usual weekly shopping.

 

[00:05:21] SY: Usual grocery lists.

 

[00:05:23] JP: I don’t know. What kind of NFTs would they sell? Would they be like…

 

[00:05:26] SY: Right. Right. Exactly. I have no idea.

 

[00:05:28] JP: Yeah. I see your point. It’s not exactly an exclusive fashion brand per se.

 

[00:05:32] SY: Yeah.

 

[00:05:33] JP: On the other hand, you can sneeze and make an NFT of that. Okay, don’t. But it seems like you could make an NFT of almost anything and they just sell out, especially if you slap an exclusive label on it, they sell out. So why not give it a try?

 

[00:05:49] SY: And Walmart isn’t the only big company to do this. Nike bought a startup that’s just two years old that designs digital virtual sneakers in NFTs and they’ve been doing NFT Drops. Gap also did NFT Drops as well.

 

[00:06:05] JP: Maybe you can like mint your local Walmart branch, like, “I own the NFT in my local entire store.”

 

[00:06:09] SY: The entire store, yes.

 

[00:06:11] JP: The entire store is my NFT. I don’t know.

 

[00:06:14] SY: Yes.

 

[00:06:15] JP: Well, this next story is about how some European telecom operators are not happy with an Apple iCloud feature that was launched last year as an opt-in beta for iOS 15 called Private Relay. What Private Relay does is essentially create a VPN for traffic from Safari on the iPhone, which the company says keeps your browsing traffic private from everyone, including Apple itself. According to reporting by the Telegraph, telecom companies including T-Mobile, Vodafone and Telefonica signed an open letter about their discontent with Private Relay saying that the data and metadata that is being cut off from them is vital and impacts “operator’s ability to efficiently manage telecommunication networks”. Some of these companies are reportedly already blocking Private Relay features from their users. Now Private Relay is not offered in some countries such as China, Saudi Arabia, and Columbia due to governmental reasons. But this complaining by telecom companies in democratic countries is really kind of concerning. What do you think about this, Saron?

 

[00:07:16] SY: Yeah. This is very suspicious. Do you really need to see what I'm doing? Right? Like that’s the big question. Do you really need to see what I’m doing, where I’m going to deliver to efficiently manage your telecommunication’s network? I don’t think so. I don’t. I don’t think so.

 

[00:07:32] JP: Maybe. I can see an argument for like, “We want to prioritize traffic. So maybe our video gets prioritized. I want packets that have contained video. I want to deliver those, absolutely, so that you’re not buffering. And if it’s your email packets, then maybe I don’t deliver those as quickly.” But I think what they really want to do is charge you more and meter you more. We’ve seen instances of telecom companies charging more for video streaming. On some plans, your video streams are limited to a certain speed.

 

[00:08:04] SY: Yup.

 

[00:08:04] JP: Hard to do that if that traffic from YouTube is encrypted, huh?

 

[00:08:08] SY: Yeah, exactly. This just feels very fishy to me. I don’t really trust the underlying reason why they are proclaiming they need that information. I don’t really think that is very valid.

 

[00:08:20] JP: Yeah. I don’t like this. I also don’t understand why they’re having a thing about this. I mean, VPNs are not a new thing, right? Like they’ve existed forever.

 

[00:08:26] SY: That’s true. That’s very true. Yeah. Yeah.

 

[00:08:29] JP: I’ve read some commentary that thinks it’s the ease of use of turning this on. For most users installing a VPN service on your phone…

 

[00:08:37] SY: It’s a pain.

 

[00:08:38] JP: You need to pay extra for it. You’ve got to configure it. It’s pretty nerdy. This iCloud feature is just a single toggle in a control panel. It’s already installed on your phone. So maybe that’s what companies are concerned about.

 

[00:08:48] SY: Yeah. I’m wondering how popular this feature is actually. I’m wondering how many people actually know about it, how many people use that toggle. And I mean, I guess it’s popular enough to get the attention of telecom giants and them being upset about it. But I’m wondering, do people even understand the benefits of these features? It’s kind of what I was thinking.

 

[00:09:07] JP: Yeah. I mean, Apple’s like, they’ve talked about it. It’s been in promotions for iOS. It shows up in the tips section. So when you first get an iPhone, there’s an opt-in thing where you can get some tips that automatically show up in pop-ups. And one of those is, “Hey, turn on Private Relay for protecting your browsing.” So I can’t imagine like telecom providers are really happy about Apple saying like, “Hey, here it is. Turn it on.” This really reminds me of the dust-up that companies like Facebook, Meta, Google, and other online advertisers had when Apple introduced their ad blocking features that were built into Safari. This seems like the exact same thing just with a different industry.

 

[00:09:46] SY: And probably an industry that I feel like maybe has a little more power. Like if Facebook doesn’t like that, there’s an advertising, I’m not really sure what Facebook can really do about that. I guess the thing that’s a little concerning here is telecom companies, I feel like they have a little more power.

 

[00:10:00] JP: Right.

 

[MUSIC BREAK]

 

[00:10:19] SY: So you’ve probably heard of a little word puzzle game called Wordle, which came out in October of last year. The game was created by developer, Josh Wardle, with an A, as a gift for his wife as a web app. And even after it was shared with the world and became massively popular, it continues to be free of cost and free of ads. However, as what happens to all popular things, the game is now suffering from knockoffs. If you search for the game on the Apple App Store, you can already see a bunch of clones of the game, which not only use the same game concept and mechanics, but also even use the same name as the original name, which isn’t copyrighted. Given that these clones are nearly identical to the original, it’s not far-fetched to think that people could be easily bamboozled into thinking they are playing the real thing. I am one of those people, definitely went to the App Store, definitely searched for Wordle, definitely downloaded this game that I did not enjoy. And now that I’ve actually played like the real Wordle, I realized it’s not the same at all. And I didn’t like that game. And I was like, “This game is stupid. I don’t understand what the big hype is,” it’s because I was playing the wrong game.

 

[00:11:30] JP: Yeah. So Apple, I just did a search for Wordle on the App Store. Also full disclosure, I’m a huge Wordle fan. I play it every day. Love it. But I did a search on the App Store just now and Apple says that they’ve removed quite a few of the egregious Wordle clones. You’ll only find one app with the name Wordle. It has an exclamation in it. But this particular app has been out for a couple of years, actually their last update was five years ago.

 

[00:11:53] SY: Predates it, okay.

 

[00:11:54] JP: So yeah, they predate the current Wordle, but the rest of the apps, anything that actually was called Wordle has been removed, but there are a bunch of apps, like Wordus.

 

[00:12:04] SY: Wordus, I'm seeing Wordus. Yeah.

 

[00:12:07] JP: Wordle Word Puzzle, Wordy. They’re very, very similar, but they don’t have the exact same name. I think what’s interesting about Wordle to me is that it’s a web app. It’s just a webpage. And I think your initial instinct was the same one most people will have. They hear about a game on a phone and they’re like, “Oh, I got to go to the App Store and download that.”

 

[00:12:28] SY: Obviously, in the App Store. Yeah.

 

[00:12:30] JP: The idea that it would be on a website that by the way is not Wordle.com. It’s powerlanguage.uk.co. You would never find this just randomly typing around.

 

[00:12:41] SY: Yeah.

 

[00:12:42] JP: I think that’s the same instinct most people would have and some developers were really quick to jump on this trend.

 

[00:12:49] SY: This feels like a case of how things can still kind of work out even when you do everything wrong in marketing. You don’t have a standalone app, you don’t have a good domain name, you didn’t trademark, you’ve got tons of clones, but still it’s really popular. People were still playing. I mean, it’s only been a couple months. So we’ll see how long it lasts. But it still like talk of the town. I see those little Wordle graphics on my Twitter feed all the time, and people are still bragging about their Wordle scores. And it’s a thing. It’s doing really well, even though they’re not doing the right things at all.

 

[00:13:25] JP: So what’s interesting also actually about Wordle is the developer has said he has no plans to monetize it. He’s not taking venture capital. He’s not spinning up a 40-person team to take Wordle to the next level. It was just a little gift he made for his partner.

 

[00:13:41] SY: Yeah, sweet.

 

[00:13:42] JP: He was happy to be interviewed by the New York Times and it’s a fun little blip, and it’s not going to divide his career. I think that’s really refreshing. I think that’s awesome.

 

[00:13:49] SY: That’s pretty cool.

 

[00:13:50] JP: I think where Apple stepped in though was these Wordle were charging money and were charging subscription fees, were charging download fees, and that’s where I think the outcry came. You’ve got a developer that made this really fun toy, is giving it away for free, isn’t looking to monetize it, isn’t looking to make any money off of it. So from a legal perspective doesn’t really have a claim to any damages or lost revenue.

 

[00:14:17] SY: Right. Right.

 

[00:14:18] JP: But I think it left a bad taste in everyone’s mouth that another developer would swoop in and profit off of confusion.

 

[00:14:26] SY: Profit off of confusion, that’s exactly what it is. Yeah. That doesn’t seem right. Coming up next, we talk about a vulnerability that was found in Safari 15’s IndexedDB API after this.

 

[MUSIC BREAK]

 

[00:14:54] SY: Here with us is Valentin Vasilyev, Cofounder and CTO at FingerprintJS. Thank you so much for joining us.

 

[00:15:02] VV: Thanks for having me.

 

[00:15:03] SY: So before we get into Safari 15’s vulnerability, tell us about your developer background.

 

[00:15:08] VV: I used to be a developer for several years, and I maintain several open source projects on GitHub, in JavaScript, TypeScript, Ruby and many other languages. And I was the creator and maintained this open source project called FingerprintJS, which I started in 2012 while working for a company that dealt with a lot of coupon and fraud issues related to gift cards. After that, I used to be an engineering manager and then several years later started the company with my co-founder of FingerprintJS.

 

[00:15:40] JP: And can you tell us about FingerprintJS and the work that you do there and the work the company does?

 

[00:15:45] VV: Yeah. FingerprintJS is an API company. We develop API started for developers. Our mission is to empower developers to stop online fraud. So we provide all kinds of APIs to help developers tackle any fraud problems with any complexity. And we do that by providing APIs that are composable and can be used together, targeted at different levels. So for the organization, such as online fraud, mobile device fraud and application environment verification where we determine if it’s safe to run an Android or iOS application inside a mobile device. All these issues are prevalent in modern online companies. And because we focus on APIs, we can usually cover a wide spectrum of requirements from such companies to be able to help them solve their fraud issues.

 

[00:16:34] SY: So let’s get into this vulnerability report that you and your team put out about Safari’s IndexedDB API. How did you find this bug?

 

[00:16:44] VV: So we have several researchers, people whose only job is to take a deep look into internals from browsers. They are obsessed with browser security. They’re obsessed with diving into WebKit source code or Chromium source code. They spend their time in Wireshark and analyzing network packets or reading C++ code on GitHub. And they routinely search for interesting and exciting stuff that exists out there. And one of the researchers, Martin Bajanik, who focused specifically on browser security, he was looking at new APIs that Safari 15 provided. And when looking at those new APIs, he decided to take a look at the IndexedDB implementation and what he saw in each of them that he shared with us that when he was looking at IndexedDBs, he saw IndexedDBs that somehow were copied from other origins or other frames or tabs into his session. And he was very surprised. Initially, he thought it was like an artifact or some issue with the developer tools because he couldn’t delete those databases, but then he tried to angle it and tried to dump the IndexedDB information into the HTML to see whether developer tools were to blame. And he determined that developer tools were unrelated and actually the database names were leaking from one origin to the other. And this is how he determined that he could actually learn that information about available database names from other origins and use that information in the origin, essentially violating the same origin policy.

 

[00:18:18] JP: Okay. So let’s get into the vulnerability itself. Can you give our audience a little refresher on what the IndexedDB API is and what it does?

 

[00:18:26] VV: So there are multiple ways of how you can store information on the client, such as local storage, cookies, and IndexedDB. When you need to store structured information in a DB-like fashion, when you need to essentially store tables and or keys and values, more like a SQL way, you use IndexedDB. So this API is specifically targeted to store structured data in large one. So when you need a large database, you would typically use an IndexedDB because it would query the data efficiently. IndexedDB is prevalent. It’s used by many websites because many websites maintain like user profile information, maybe their settings, maybe their time zone or language preferences. So for all these things, an IndexedDB is very useful because you can very quickly query the information that you need in JavaScript.

 

[00:19:14] SY: Is this vulnerability present in older versions of Safari? And how do you think this vulnerability got into the code in the first place?

 

[00:19:23] VV: To our knowledge, it’s not present in older versions. So for example, if you tested in Safari 14, it’s not there. It’s only in Safari 15. How it got there, I cannot answer that question. I don’t know, but I think a regular development process is always… There is always some risk of introducing a bug or regression and it looks like just a bug that got into Safari 15 and went unnoticed for some time until we found it.

 

[00:19:52] JP: Do you consider this like a bug in the source code, something that can be fixed? Or is this an architectural or design issue?

 

[00:20:01] VV: It is a bug in the source code of WebKit. Just to clarify, Safari uses the WebKit engine. And this is the bug in the WebKit.

 

[00:20:09] JP: Tell us about how you were able to exploit this vulnerability. What kind of terrible things can people do with this?

 

[00:20:16] VV: Yeah. We thought about it and how we could help fix that vulnerability because initially when we discovered that the first thing that we did was submitted this bug report to WebKit Bug Tracker. We did that in the end of November, but we didn’t receive any response for almost two months and we decided that we want to write an article about it to help speed up the process of determining whether this bug is important and essentially help fix this bug. And we explained it by writing an article and publishing in our blog. We also did an explainer video, which we hosted on YouTube. And also Martin, who discovered this bug, he created a demo page, which is hosted on SafariLeaks.com where he shows you exactly what kind of information can be leaked across origins. And the second use case that he highlighted is because Google services, whenever you are authenticated with any of the Google service, such as Google Calendar or Google Keep or YouTube, they actually create IndexedDB databases that contain your Google user ID as part of the database name. So because the DB names leak across origins, what you can do is you can read the available DB names then determine that these DB names belong to YouTube. And then, okay, it belongs to YouTube, now what I can do is I take the name of the database, split it, and I get the user ID. And then Google has People API that allows you to query any person information using that user ID. And what you at the minimum can do is query this profile picture and then maybe search on the profile picture to de-anonymize the person. So these were the concerns that we saw looking at this bug. It’s the fact that the database leaked and also the fact that some companies rely on database naming to store the user information and thus it’s possible to de-anonymize those users by extracting that user ID and querying certain APIs later.

 

[00:22:08] SY: So have you found this exploit in the wild? How many websites are affected?

 

[00:22:13] VV: We haven’t found anyone exploiting this in the wild, but we found that potentially a large proportion of websites is affected because just by looking at the top 1000 Alexa websites by traffic, we could easily find at least 30 websites who were affected by this bug and whose information could be leaked to other origins. So we don’t really know the true scale of this issue because we would need to analyze the entire like Alexa Top 100,000 to be able to understand how many websites were affected or are still affected. But just by looking at the very few, we found that many of them were using IndexedDB in the first place and leaked IndexedDB names because of Safari bug and it was possible to build kind of your browsing activity profile by analyzing those unique database names.

 

[00:23:03] JP: So a site like Google could try to work around this by not putting the user ID and the name of the IndexedDBs they create. Is there anything the end user can do to guard against this? I suppose using a different browser would be one way, but does going into private mode, opening separate windows, does any of that have any effect? Or is this just if you’re using Safari you’re stuck with this?

 

[00:23:26] VV: Yeah. So it depends on your platform. So if you are on a Mac, macOS, MacBook, for example, and let me confirm that only Safari 15 phonology is affected by this. If you’re on Safari 14, you’re fine. If you’re using a MacBook and you’re using macOS, you can just use a different browser such as Firefox, Google Chrome, or any other non-WebKit based browser. If you use a WebKit-based browser on macOS, you’re still affected. So you need to use a different engine. And Firefox and Google Chrome use different engines. For example, Google uses Blink. On iOS, which means iPhone devices, and iPadOS, which means iPads, the station is more complicated because according to Apple Store policies, you cannot publish web browsers with your own browser engines. You can only use the stock Apple provided WebKit Engine and Risk Engine with your UI. So for example, if I’m a Firefox publishing my browser to Apple Store, I’m restricted from using my own engine. I need to use WebKit and Risk Engine as a Firefox. And for this reason, all browsers from iOS and iPad are affected because there is no way how you can use a different browser there.

 

[00:24:36] SY: So tell us about your reporting process. I know you mentioned that you first reported it back in November. Has Apple responded, begun to fix this vulnerability? What has it been like?

 

[00:24:48] VV: Yeah. We first reported it on November 28th. Then we kept monitoring the WebKit Bug Tracker, but we saw no response, and essentially WebKit Bug Tracker was the only way how we could get in touch with Apple to tell them about that, but there was no other channel of communication. So after waiting almost two months, we decided to publish this to maybe speed up the process of fixing that. We published it on January 15th and the next day, I think, or two days later, I don’t remember it now, but I think it was the next day when we saw some WebKit commits that started to come in from WebKit developers who addressed that vulnerability and they pushed several commits to every source. So if you go to GitHub WebKit mirror, you can see those commits there. Or if it’s the main repo, you essentially can see that. Yeah, the work has started after we published the article. And now even though the commits were made, it still means you’re still vulnerable because in order to make it available to everyone, you need to start the distribution process, so the new update. So it’s going to be like 15.3 on desktop or 15.2, depending on the version that they choose. But essentially the bug is still there. You need to install a new version when Apple ships it and then it will be fixed I hope.

 

[00:26:00] JP: I’m curious how severe of a vulnerability you think this is. And a follow-up question is, what do you think of the timeline for fixing it? Is this taking longer than usual? Is this a shorter process and usual? How does it land on the scale of other vulnerabilities that have been addressed?

 

[00:26:18] VV: I think it is a serious vulnerability because it allows us to de-anonymize users in certain situations, like I described with a YouTube user ID or Google user ID. Regarding the timeline, we don’t have visibility into how fast Apple typically fixes those vulnerabilities. So I could only make a guess about it. I think maybe some kind of message sent to us from Apple would be helpful in determining whether we should wait or whether we should postpone the release, but there was no information coming from Apple. So we were in the darkness about like what to do. So we waited and waited and waited and then nothing happened and then we decided to bother. So that’s how I see it.

 

[00:27:02] SY: Well, thank you so much for joining us.

 

[00:27:03] VV: Thanks for having me.

 

[00:27:15] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show wherever you get your podcasts.