One bugs in Safari 15 could do leaking your browsing history of users, and also disclose personal data linked to your Google account. This is the warning issued by FingerprintJS, a service that deals with the detection of fraud on browsers. Apparently, the vulnerability stems from a problem with Apple’s implementation of IndexedDB, an API that stores data on the browser. But let’s find out something more.
Safari 15: A bug can reveal users’ personal data and browsing history
According to reports from FingerprintJS, the Safari 15 bug would be related to a problem with the implementation of IndexedDB, an API that adheres to the same origin policy. Essentially, this prevents one source from interacting with data collected on other sources. Therefore, if users open their email in one window and a malicious web page in another, the same origin policy prevents the malicious page from viewing and intruding on the email itself. Apparently, though, Apple’s application of the IndexedDB API in Safari 15 violates the same origin policy.
According to Fingerprint JS, when a site interacts with a database in Safari “a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session”. This means that a website can see databases created on other websites, effectively accessing all data that contain. The sites that use the Google account, in fact, all generate databases with the unique Google user ID in the name. In this regard, the Safari 15 bug is worrying because the Google ID allows access to all user information, which thus risks being exposed to other websites.
This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT
— Jake Archibald (@jaffathecake) January 16, 2022
FingerprintJS has created a test demo that users can try to understand how the Safari 15 bug allows some sites to extract information from their Google ID. These include sites such as Instagram, Netflix, Twitter and Xbox. But it seems that there are many more sites that suffer from the problem. Unfortunately though, there doesn’t seem to be anything that can be done to fix the problem, as the bug also affects on private browsing mode. And it basically affects all possible browsers. What is surprising is that FingerprintJS reported the problem on November 28, but Apple has not yet released an update to fix the Safari 15 bug. Will it arrive? We hope so.