A bug in Safari 15 could leak your browsing activity and also reveal some personal information associated with your Google account, according to findings from FingerprintJS, a browser fingerprint and fraud detection service (via 9to5Mac). The vulnerability stems from an issue with Apple’s implementation of IndexedDB, an Application Programming Interface (API) that stores data in your browser.
As explained by FingerprintJS, IndexedDB adheres to the same-origin policy, which prohibits one origin from interacting with data collected from another origin – essentially only the website generating data can access it. For example, if you open your email account in one tab and then open a malicious web page in another, the same origin policy prevents the malicious page from viewing and interfering with your email.
FingerprintJS found that Apple’s application of the IndexedDB API in Safari 15 actually violates the same-origin policy. When a website interacts with a database in Safari, FingerprintJS says that “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”
This means that other websites can see the name of other databases created on other sites that may contain details specific to your identity. FingerprintJS notes that sites that use your Google account, such as YouTube, Google Calendar, and Google Keep, all generate databases with your unique Google user ID in the name. With your Google user ID, Google can access your publicly available information, such as your profile picture, which can expose the Safari bug to other websites.
This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to prevent their data leaking across the source. iOS users have no such choice, as Apple bans other browser engines. https://t.co/aXdhDVIjTT
— Jake Archibald (@jaffathecake) January 16, 2022
FingerprintJS has created a proof-of-concept demo that you can try out if you have Safari 15 and above on your Mac, iPhone, or iPad. The demo uses the browser’s IndexedDB vulnerability to identify the sites you’ve accessed (or recently accessed) and shows how the bug deletes information from your Google user ID. It currently only detects 30 popular sites affected by the bug such as Instagram, Netflix, Twitter, Xbox, but it probably affects many more.
Unfortunately, there’s not much you can do to get around the issue, as FingerprintJS says the bug also affects private browsing mode in Safari. You can use a different browser on macOS, but Apple’s third-party browser engine ban on iOS means all browsers are affected. FingerprintJS reported the leak to the WebKit Bug Tracker on November 28, but there has been no update for Safari yet. The edge contacted Apple with a request for comment, but didn’t hear back immediately.