| Recurring |
one_organization |
(a) The software failure incident related to a violation of the same-origin policy affecting Apple's iOS, iPadOS devices, and Safari browser has happened again within the same organization. The incident involves a bug that leaks user identities and browsing activity in real time, which was discovered after the release of Safari 15 and iOS and iPadOS 15 [123200].
(b) There is no information in the provided article about a similar incident happening at other organizations or with their products and services. |
| Phase (Design/Operation) |
design |
(a) The software failure incident described in the article is related to the design phase. The violation of the same-origin policy in Apple's iOS, iPadOS, and Safari browser was caused by a bug that leaked user identities and browsing activity in real time. This bug was a result of the way the Webkit browser engine implemented IndexedDB, allowing one site to learn in real time what other websites a user is visiting [123200].
(b) The software failure incident is not related to the operation phase or misuse of the system. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident reported in the article is primarily within_system. The violation of the same-origin policy in Apple's iOS, iPadOS, and Safari browser is a result of a bug in the way the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers [123200]. This bug allows for the leaking of user identities and browsing activity in real time, indicating that the contributing factors originate from within the system itself. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case is primarily due to a bug in Apple's iOS, iPadOS, and Safari browser that violates the same-origin policy, leaking user identities and browsing activity in real time. This violation is a result of the way the Webkit browser engine implements IndexedDB, allowing one site to learn what other websites a user is visiting without human participation [123200].
(b) The failure to address this bug and vulnerability in Safari and Apple's mobile operating systems despite being notified by a security researcher in late November can be attributed to human actions or inactions. The delay in fixing the issue and the lack of response from Apple representatives indicate a failure on the part of the company to promptly address security concerns raised by external researchers [123200]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the article is primarily due to contributing factors that originate in software. The incident involves a bug in Apple's iOS, iPadOS, and Safari browser that violates the same-origin policy, leading to a privacy violation where user identities and browsing activity are leaked in real time [123200].
(b) The software failure incident is not attributed to hardware issues but rather to a software bug in Apple's products, specifically in the way the Webkit browser engine implements IndexedDB, causing the breach of the same-origin policy and resulting in the leakage of sensitive user information [123200]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident described in the article is non-malicious. The violation of the same-origin policy in Apple's Safari browser and iOS and iPadOS devices was due to a bug that leaked user identities and browsing activity in real time. This bug allowed for the leaking of database names across different origins, leading to a privacy violation. The incident was a result of the way the Webkit browser engine implements IndexedDB, allowing one site to learn in real time what other websites a user is visiting [123200]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident related to the violation of the same-origin policy by Apple's iOS, iPadOS devices, and Safari browser can be attributed to poor_decisions. The incident was caused by a bug that leaked user identities and browsing activity in real time due to the way the Webkit browser engine implemented IndexedDB, allowing for the privacy violation [123200]. The failure was a result of a poor decision in the implementation of the IndexedDB interface, leading to the breach of the same-origin policy and the subsequent leakage of sensitive user information. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident reported in Article 123200 is related to development incompetence. The incident involves a bug in Apple's iOS, iPadOS, and Safari browser that violates the same-origin policy, leaking user identities and browsing activity in real time. The violation of this foundational security mechanism was introduced with the release of Safari 15 and iOS and iPadOS 15, indicating a failure due to contributing factors introduced by the development team's lack of professional competence [123200].
(b) The incident does not seem to be related to accidental factors but rather a result of a specific bug in the software that was introduced during development. |
| Duration |
temporary |
The software failure incident reported in Article 123200 is temporary. The violation of the same-origin policy in Apple's iOS, iPadOS, and Safari browser has been ongoing since the release of Safari 15 and iOS and iPadOS 15 in September. The bug that leaks user identities and browsing activity in real time is a result of the way the Webkit browser engine implements IndexedDB, allowing one site to learn in real time what other websites a user is visiting. Despite the issue being reported to Apple in late November, as of the publication time of the article, the vulnerability had not been fixed in Safari or the company's mobile operating systems. Apple engineers had merged potential fixes and marked the report as resolved, but end users won't be protected until the Webkit fix is incorporated into Safari 15 and iOS and iPadOS 15. Therefore, the software failure incident is temporary and ongoing [123200]. |
| Behaviour |
other |
(a) crash: The software failure incident described in the article is not related to a crash where the system loses state and does not perform any of its intended functions. Instead, the issue is related to a bug in Apple's iOS, iPadOS, and Safari browser that violates the same-origin policy, leading to a privacy violation [123200].
(b) omission: The software failure incident is not due to the system omitting to perform its intended functions at an instance(s). It is more about a bug that leaks user identities and browsing activity in real time, violating the same-origin policy [123200].
(c) timing: The software failure incident is not related to the system performing its intended functions correctly but too late or too early. It is more about a bug in the implementation of IndexedDB that allows one site to learn in real time what other websites a user is visiting, leading to a privacy violation [123200].
(d) value: The software failure incident is not due to the system performing its intended functions incorrectly. It is more about a bug that leaks user identities and browsing activity in real time, violating the same-origin policy [123200].
(e) byzantine: The software failure incident is not related to the system behaving erroneously with inconsistent responses and interactions. It is more about a bug in the implementation of IndexedDB that allows one site to learn in real time what other websites a user is visiting, leading to a privacy violation [123200].
(f) other: The behavior of the software failure incident can be categorized as a privacy violation caused by a bug in Apple's iOS, iPadOS, and Safari browser that violates the same-origin policy. This violation allows websites to access user identities and browsing activity in real time, potentially leading to significant privacy concerns [123200]. |