A Safari 15 bug can leak browsing activity and also reveal personal information attached to Google accounts, according to latest findings by browser fingerprinting and fraud detection service FingerprintJS.
The vulnerability stems from Apple’s implementation of IndexedDB, an application programming interface (API) that stores data on the browser. The API follows the same-origin policy that restricts one origin from interacting with data collected on other origins — meaning, only the website that generates the data has access to it, FingerprintJS said.
However, Apple’s IndexedDB API in Safari 15 violates the same-origin policy. When a website interacts with the Safari database, a new database with the same name is created in all active tabs, frames, and windows within the same browser session, application, said FingerprintJS.
The bug enables other websites to see the names of other databases created on other sites containing details specific to user identity. FingerprintJS noted that sites using Google accounts such as Google Keep, YouTube, and Google Calendar generate databases with a unique Google User ID in its name. This Google User ID allows Google to access the user’s public information such as profile picture, which the bug can expose to other websites.
The fraud detection service created a proof-of-concept demo for consumers using Safari 15 and above on iPhone, Mac, or iPad. The demo uses Safari’s IndexedDB vulnerability and identifies the sites the user has open and shows how sites exploiting the bug can scrape information from Google User ID. At present, it can only detect 30 popular sites affected by the bug, including Instagram, Twitter, Netflix, and Xbox.
There is little users can do to get around the issue as FingerprintJS said the bug also affected Safari’s Private Browsing mode. Mac owners can use a different browser on macOS, but Apple’s ban on third-party browser engines on iOS means all browsers would be affected. Despite FingerprintJS reporting the bug on November 28, Apple is yet to issue an update for Safari.