Main Highlights:
- According to FingerprintJS, a browser fingerprinting and fraud detection service, a bug in Safari 15 may expose your browsing activities and some of the personal information linked with your Google account (via 9to5Mac).
- The weakness lies in Apple’s version of IndexedDB, an application programming interface (API) used to store data in your browser.
- When a website communicates with a database in Safari, FingerprintJS indicates that the website generates a new (empty) database with the same name in each of the other active frames, tabs, and windows inside the same browser session.
- According to FingerprintJS, websites that utilize your Google accounts, such as YouTube, Google Calendar, and Google Keep, construct databases named after your unique Google User ID.
- FingerprintJS has created a proof-of-concept demo, which you can try on a Mac, iPhone, or iPad running Safari 15 or higher.
According to results from FingerprintJS, a browser fingerprinting and fraud detection service, a problem in Safari 15 potentially leak your browsing activity and some of the personal information associated with your Google account. The vulnerability exists due to a flaw in Apple’s implementation of IndexedDB, an application programming interface (API) used to store data in your browser.
As noted by FingerprintJS, IndexedDB adheres to the same-origin policy, which prevents one origin from interacting with data collected by another source — in other words, only the website that generates data has access to it. For instance, if you open your email account in one tab and a malicious webpage in another, the same-origin policy prevents the malicious website from accessing or interfering with your email.
Apple’s IndexedDB API in Safari 15 breaches the same-origin restriction. When a website interacts with a database in Safari, FingerprintJS reports that the website creates a new (empty) database with the same name in every other active frame, tab, and window inside the same browser session.
What does it mean, then?
This means that other websites can see the names of databases established on other websites that may contain information about your identity. FingerprintJS states that websites that use your Google accounts, such as YouTube, Google Calendar, and Google Keep, all create databases with the name of your unique Google User ID. Google uses your Google User ID to access publicly available information about you, such as your profile picture, which the Safari flaw may disclose to other websites.
FingerprintJS has produced a proof-of-concept demo that you can test out on your Mac, iPhone, or iPad running Safari 15 or higher. The demo makes use of the browser’s IndexedDB vulnerability to determine which websites you currently have open (or have recently accessed) and demonstrates how sites that make use of the exposure can scrape information from your Google User ID. It presently identifies the flaw on 30 popular websites, including Instagram, Netflix, Twitter, and Xbox, but it is expected to affect many more.
Unfortunately, you can do little to resolve the issue, as FingerprintJS reports that the bug also affects Safari’s Private Browsing mode. You can use a different browser on macOS, but Apple’s ban on third-party browser engines on iOS affects all browsers. On November 28th, FingerprintJS reported the breach to the WebKit Bug Tracker. However, Safari has not yet received an upgrade. The Verge reached out to Apple for comment but did not immediately respond.
About Safari
Safari is an Apple-developed graphical web browser. It is based primarily on open-source technologies, most notably WebKit. It is compatible with macOS, iOS, and iPadOS; from 2007 to 2010, a Windows version was available. Safari was debuted in January 2003 as part of Mac OS X Panther and has since evolved through fifteen major versions as of 2021. Apple employed a remotely updated plug-in blocklist license to prevent Safari from running potentially hazardous or insecure plugins. The Safari Developer Program, which allowed participants to create browser extensions, costs $ 99 per year.
